CVE-2025-64097

Name of the Vulnerable Software and Affected Versions NervesHub versions 1.0.0 through 2.2.9

Description NervesHub is a web service for managing over-the-air (OTA) firmware updates. A weakness existed where attackers could potentially compromise user API tokens due to their predictable format. These tokens included user-identifiable components and lacked sufficient cryptographic security, making them vulnerable to guessing or enumeration. Successful exploitation could lead to unauthorized access to user accounts and API actions.

Recommendations NervesHub versions prior to 2.3.0 should be upgraded to version 2.3.0 or later. As a temporary mitigation, consider firewalling access to the NervesHub server.