PT-2025-35169 · Unknown · Coze-Studio

·

CVE-2025-9604

·

Published

2025-08-29

·

Updated

2025-08-29

CVSS v4.0

6.3

Medium

VectorAV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
Name of the Vulnerable Software and Affected Versions coze-studio versions up to 0.2.4
Description A vulnerability exists due to the use of hard-coded cryptographic keys. The issue is located in an unknown function within the backend/domain/plugin/encrypt/aes.go file. Manipulation of the AuthSecretKey, StateSecretKey, and OAuthTokenSecretKey arguments can trigger this issue. The attack can be initiated remotely and is considered difficult to exploit.
Recommendations Deploy a patch to address this issue.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-9604

Affected Products

Coze-Studio