Apache StreamPark, JWT Security Misconfiguration, CVE-2025-53960 (Critical)

Listen to this Post

How the CVE Works

Apache StreamPark versions 2.0.0 to 2.1.6 use the user’s plaintext password as the HMAC signing key for JSON Web Token (JWT) generation. When a user logs in, the system creates a JWT (e.g., using the HS256 algorithm) and signs it with a secret key derived directly from the user’s supplied password. This design flaw means the strength of the JWT, which is used for session authentication, is identical to the strength of the user’s password. An attacker who captures or intercepts one of these JWTs (for example, via a man-in-the-middle attack or by logging it) obtains a cryptographically signed token. Because the signature is created using the password, the attacker can attempt to crack the password offline by brute-forcing the HMAC key. Tools like hashcat can be used to test millions of potential passwords against the JWT’s signature until a match is found. Once the password is discovered, the attacker can forge new, valid JWTs for that user by signing them with the cracked password. This allows the attacker to impersonate the user indefinitely, leading to a complete account takeover. The vulnerability does not require repeated interaction with the application server for the attack, making it efficient and difficult to detect.

DailyCVE Form

Platform: Apache StreamPark
Version: 2.0.0-2.1.6
Vulnerability: JWT Key Misuse
Severity: Critical
date: 12/12/2025

Prediction: Patched 12/12/2025

What Undercode Say

Analytics

Capture JWT from HTTP traffic
tcpdump -i any -A port 10000 | grep -i "authorization"
Test JWT structure and header
echo -n "eyJhbGciOiJIUzI1NiIs...<token>" | cut -d '.' -f 1 | base64 --decode | jq .
Offline brute-force with hashcat (wordlist mode)
hashcat -m 16500 -a 0 captured_jwt.txt rockyou.txt
Generate a forged JWT with a known key (Python)
import jwt
forged_token = jwt.encode({"user":"admin"}, key="cracked_password", algorithm="HS256")

How Exploit

  1. Attacker intercepts a valid JWT token for a target user.
  2. Attacker extracts the JWT signature and decodes its header to confirm the HS256 algorithm.
  3. Attacker performs an offline brute-force attack against the JWT signature using the password hash mode for HMAC-SHA256.
  4. Upon successfully cracking the user’s password, the attacker forges a new JWT token with administrative claims.
  5. The attacker uses the forged token to authenticate to Apache StreamPark as the compromised user, gaining full control.

Protection from this CVE

Immediately upgrade Apache StreamPark to version 2.1.7 or later.
Implement a secure, system-managed cryptographic secret for JWT signing that is independent of user credentials.
Enforce strong password policies to increase the difficulty of brute-force attacks.
Use HTTPS exclusively to protect tokens in transit and consider short token expiration times.

Impact

Complete account takeover, unauthorized access to all user privileges and data, and potential full system compromise if the affected account has administrative rights.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top