CVE-2025-66910

MEDIUM

Turms Server v0.10.0-SNAPSHOT - Info Disclosure

Title source: llm

Description

Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection.

References (4)

[Exploit, Third Party Advisory] https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md

View Exploit ZIP pw:eip

[Product] https://github.com/turms-im/turms

[Product] https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34

[Product] https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237

Scores

CVSS v3 6.0

EPSS 0.0015

EPSS Percentile 35.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-532 CWE-256

Status published

Products (1)

turms-im/turms 0.10.0-snapshot

Published Dec 19, 2025

Tracked Since Feb 18, 2026