CVE-2025-30064

Unknown - Info Disclosure

Title source: llm

Description

An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user.

References (1)

[Various Sources] https://cert.pl/en/posts/2025/08/CVE-2025-2313/

Scores

EPSS 0.0001

EPSS Percentile 0.8%

Classification

CWE

CWE-912 CWE-347

Status draft

Timeline

Published Aug 27, 2025

Tracked Since Feb 18, 2026