CVE-2025-11609
Published: 11 October 2025
Description
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Security Summary
CVE-2025-11609 is a vulnerability in code-projects Hospital Management System 1.0, specifically affecting the session function within the express-session component. The flaw arises from the use of a hard-coded cryptographic key, triggered by manipulation of the "secret" argument with the input "secret". This issue, linked to CWEs-320 (Missing Cryptographic Key Management) and CWE-321 (Use of Hard-coded Cryptographic Key), was published on 2025-10-11 and carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating low severity with network accessibility but high attack complexity.
Remote attackers without privileges can exploit this vulnerability over the network, though it requires high complexity and is considered difficult to execute. Successful exploitation enables limited integrity impacts, such as potential session manipulation due to the hard-coded key, without affecting confidentiality or availability.
Advisories and details are documented on sites including VULDB (ctiid.327932, id.327932, submit.672589), a GitHub repository on CVE discovery for the Hospital Management System, and the original code-projects.org page. The exploit has been publicly released and may be usable, though no specific patches or mitigations are detailed in the available information.
In notable context, the exploit's publication increases the risk for unpatched instances of this system, particularly in healthcare environments relying on the affected version.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The hardcoded session secret enables exploitation of a public-facing web application (T1190), weakens encryption by reducing key space (T1600.001), and facilitates forging web session cookies for impersonation (T1606.001).