Vulnerability in Nerves-hub Nerves_hub_web

CVE-2025-64097

NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API toke…

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

Affected products

Nerves-hub Nerves_hub_web — versions >= 1.0.0, < 2.3.0

Weakness classification (CWE)

CWE-330 — Use of Insufficiently Random Values

References

https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m (x_refsource_CONFIRM)
https://github.com/nerves-hub/nerves_hub_web/pull/2024 (x_refsource_MISC)
https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0 (x_refsource_MISC)