Vulnerability in Apache Software Foundation Streampark
CVE-2025-53960
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user…
EPSS: 0.001 (19.2th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Streampark — versions 2.0.0
Weakness classification (CWE)
References
- lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy (vendor-advisory)