CVE-2025-23027 - Vulnerability Details - OpenCVE

next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/haydenbleasel/next-forge/commit/239a98f2c308a51d626ae0613102917f82603c1c
https://github.com/haydenbleasel/next-forge/security/advisories/GHSA-wppx-qmqh-9h33

History

Mon, 13 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Jan 2025 20:00:00 +0000

Type	Values Removed	Values Added
Description		next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems.
Title		BASEHUB_TOKEN commited in next-forge
Weaknesses		CWE-312
References		https://github.com/haydenbleasel/next-forge/commit/239a98f2c308a51d626ae0613102917f82603c1c https://github.com/haydenbleasel/next-forge/security/advisories/GHSA-wppx-qmqh-9h33
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-01-13T19:41:43.514Z

Updated: 2025-01-13T20:07:51.314Z

Reserved: 2025-01-10T15:11:08.881Z

Link: CVE-2025-23027

Vulnrichment

Updated: 2025-01-13T20:07:46.209Z

NVD

Status : Received

Published: 2025-01-13T20:15:30.150

Modified: 2025-01-13T20:15:30.150

Link: CVE-2025-23027

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23027", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-10T15:11:08.881Z", "datePublished": "2025-01-13T19:41:43.514Z", "dateUpdated": "2025-01-13T20:07:51.314Z"}, "containers": {"cna": {"title": "BASEHUB_TOKEN commited in next-forge", "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/haydenbleasel/next-forge/security/advisories/GHSA-wppx-qmqh-9h33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/haydenbleasel/next-forge/security/advisories/GHSA-wppx-qmqh-9h33"}, {"name": "https://github.com/haydenbleasel/next-forge/commit/239a98f2c308a51d626ae0613102917f82603c1c", "tags": ["x_refsource_MISC"], "url": "https://github.com/haydenbleasel/next-forge/commit/239a98f2c308a51d626ae0613102917f82603c1c"}], "affected": [{"vendor": "haydenbleasel", "product": "next-forge", "versions": [{"version": "< 3.0.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-13T19:41:43.514Z"}, "descriptions": [{"lang": "en", "value": "next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems."}], "source": {"advisory": "GHSA-wppx-qmqh-9h33", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-13T20:07:41.731055Z", "id": "CVE-2025-23027", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T20:07:51.314Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23027", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-13T20:07:41.731055Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T20:07:46.209Z"}}], "cna": {"title": "BASEHUB_TOKEN commited in next-forge", "source": {"advisory": "GHSA-wppx-qmqh-9h33", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "haydenbleasel", "product": "next-forge", "versions": [{"status": "affected", "version": "< 3.0.11"}]}], "references": [{"url": "https://github.com/haydenbleasel/next-forge/security/advisories/GHSA-wppx-qmqh-9h33", "name": "https://github.com/haydenbleasel/next-forge/security/advisories/GHSA-wppx-qmqh-9h33", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/haydenbleasel/next-forge/commit/239a98f2c308a51d626ae0613102917f82603c1c", "name": "https://github.com/haydenbleasel/next-forge/commit/239a98f2c308a51d626ae0613102917f82603c1c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-13T19:41:43.514Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23027", "state": "PUBLISHED", "dateUpdated": "2025-01-13T20:07:51.314Z", "dateReserved": "2025-01-10T15:11:08.881Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-13T19:41:43.514Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems."}, {"lang": "es", "value": "next-forge es un proyecto Next.js para aplicaciones web modernas. El BASEHUB_TOKEN se incluye en apps/web/.env.example. Los usuarios deben evitar el uso de este token y deben eliminar cualquier acceso que pueda tener en sus sistemas."}], "id": "CVE-2025-23027", "lastModified": "2025-01-13T20:15:30.150", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-13T20:15:30.150", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/haydenbleasel/next-forge/commit/239a98f2c308a51d626ae0613102917f82603c1c"}, {"source": "security-advisories@github.com", "url": "https://github.com/haydenbleasel/next-forge/security/advisories/GHSA-wppx-qmqh-9h33"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "security-advisories@github.com", "type": "Primary"}]}