CVE-2025-54947
Apache StreamPark: Use hard-coded key vulnerability
Description
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.
INFO
Published Date :
Dec. 12, 2025, 3:15 p.m.
Last Modified :
Dec. 15, 2025, 5:20 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Upgrade Apache StreamPark to version 2.1.7.
- Apply vendor patches or updates.
- Reconfigure encryption key management.
- Review encrypted data integrity.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-54947.
| URL | Resource |
|---|---|
| https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1 | Mailing List |
| http://www.openwall.com/lists/oss-security/2025/12/12/3 | Mailing List |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-54947 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-54947
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-54947 vulnerability anywhere in the article.
-
CybersecurityNews
Apache StreamPark Vulnerability Let Attackers Access Sensitive Data
A critical security vulnerability has been discovered in Apache StreamPark that could allow attackers to decrypt sensitive information and gain unauthorized system access. The vulnerability stems from ... Read more
-
Daily CyberSecurity
Apache StreamPark Flaw Risks Data Decryption & Token Forgery via Hard-Coded Key and AES ECB Mode
The maintainers of Apache StreamPark, a popular framework for developing streaming applications, have issued a critical security advisory after discovering fundamental flaws in how the platform handle ... Read more
The following table lists the changes that have been made to the
CVE-2025-54947 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Dec. 15, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-798 Added CPE Configuration OR *cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:* versions from (including) 2.0.0 up to (excluding) 2.1.7 Added Reference Type Apache Software Foundation: https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1 Types: Mailing List Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/12/12/3 Types: Mailing List -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 12, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 12, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/12/12/3 -
New CVE Received by [email protected]
Dec. 12, 2025
Action Type Old Value New Value Added Description In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. Added CWE CWE-321 Added Reference https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1