CVE-2025-9604

CVSS v3.1

3.7

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions coze-studio versions up to 0.2.4

Description A vulnerability exists due to the use of hard-coded cryptographic keys. The issue is located in an unknown function within the

backend/domain/plugin/encrypt/aes.go

file. Manipulation of the

AuthSecretKey

StateSecretKey

, and

OAuthTokenSecretKey

arguments can trigger this issue. The attack can be initiated remotely and is considered difficult to exploit.

Recommendations Deploy a patch to address this issue.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

CVE-2025-9604

Coze-Studio