CVE-2025-62712

Name of the Vulnerable Software and Affected Versions JumpServer versions prior to v3.10.20-lts and v4.10.11-lts

Description JumpServer is an open source bastion host and an operation and maintenance security audit system. In affected versions, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint /api/v1/authentication/super-connection-token/. When accessed from a web browser, this endpoint incorrectly returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker obtaining these tokens can initiate connections to managed assets on behalf of the original token owners, potentially leading to unauthorized access and privilege escalation.

Recommendations Versions prior to v3.10.20-lts should be updated to v3.10.20-lts or later. Versions prior to v4.10.11-lts should be updated to v4.10.11-lts or later.