. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. To fix this issue, it is recommended to deploy a patch. The vendor replied to the GitHub issue (translated from simplified Chinese): "For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt."
Metrics
Affected Vendors & Products
Fri, 29 Aug 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 29 Aug 2025 01:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A vulnerability was identified in coze-studio up to 0.2.4. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey leads to use of hard-coded cryptographic key . It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. To fix this issue, it is recommended to deploy a patch. The vendor replied to the GitHub issue (translated from simplified Chinese): "For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt." | |
Title | coze-studio aes.go hard-coded key | |
Weaknesses | CWE-320 CWE-321 |
|
References |
| |
Metrics |
cvssV2_0
|

Status: PUBLISHED
Assigner: VulDB
Published:
Updated: 2025-08-29T13:36:16.125Z
Reserved: 2025-08-28T15:13:46.197Z
Link: CVE-2025-9604

Updated: 2025-08-29T13:36:12.670Z

Status : Awaiting Analysis
Published: 2025-08-29T02:15:32.730
Modified: 2025-08-29T16:24:29.730
Link: CVE-2025-9604

No data.

No data.