Cyber Posture

CVE-2025-65730

HighPublic PoC

Published: 05 December 2025

Published
05 December 2025
Modified
11 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 61.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires proper management, protection, and lifecycle handling of authenticators, directly preventing the use of hardcoded secrets for JWT token signing.

SC-12 Cryptographic Key Establishment and Management good match
prevent

SC-12 mandates secure establishment, distribution, and management of cryptographic keys, addressing the hardcoded JWT signing secret vulnerability.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and remediation of flaws, enabling patching of the hardcoded credential issue fixed in GoAway v0.62.19.

Security SummaryAI

CVE-2025-65730 is an authentication bypass vulnerability stemming from the use of a hardcoded secret for signing JWT tokens in the GoAway application, affecting versions up to v0.62.18. This issue, classified under CWE-798 (Use of Hard-coded Credentials), was published on 2025-12-05 and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability resides in the backend API components, as evidenced by code references in auth.go and middleware.go files within the pommee/goaway repository.

An attacker with adjacent network access (AV:A) can exploit this vulnerability with low complexity and no required privileges or user interaction. By knowing the hardcoded signing secret, the attacker can forge valid JWT tokens to bypass authentication, potentially gaining unauthorized access to the application. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, such as data exfiltration, modification, or denial of service.

Mitigation is available in GoAway version 0.62.19, which addresses the hardcoded secret issue. Security practitioners should immediately upgrade affected instances to this patched version. Relevant code changes and details are documented in the project's GitHub repository at https://github.com/pommee/goaway, with additional analysis in https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730.

Details

CWE(s)
CWE-798

Affected Products

pommee
goaway
≤ 0.62.19

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
attack.mitre.org →
Why these techniques?

Hardcoded JWT signing secret enables forging valid authentication tokens, facilitating Valid Accounts (T1078) and Forge Web Credentials (T1606).

References