Apache StreamPark: Weak Fixed Encryption Keys (v2.0.02.1.6)
CVE-2025-53960 Published on December 12, 2025
Apache StreamPark: Uses the user’s password as the secret key
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
Vulnerability Analysis
CVE-2025-53960 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Use of a Risky Cryptographic Primitive
This device implements a cryptographic algorithm using a non-standard or unproven cryptographic primitive.
Products Associated with CVE-2025-53960
Want to know whenever a new CVE is published for Apache Streampark? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache StreamPark:- Version 2.0.0 and below 2.1.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.