CVE-2025-14651

LOW EPSS 21.5%
Published Dec 14, 20256mo ago · Modified Jun 17, 20261w ago
2.9 CVSS 4.0
Low
Find Similar
Published Dec 14, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSION_SECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The code maintainer recommends (translated from Chinese): "The default docker-compose example file is not recommended for production use. If you intend to use it in production, please carefully check and modify every configuration and environment variable yourself!"

CVSS Details

Base Score
2.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
21.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-320
CWE-321

References 6

  • github.com https://github.com/MartialBE/one-hub/blob/main/docker-compose.yml#L15C24-L15C38
  • github.com https://github.com/MartialBE/one-hub/issues/872
  • github.com https://github.com/MartialBE/one-hub/issues/872#issuecomment-3616033169
  • vuldb.com https://vuldb.com/?ctiid.336384
  • vuldb.com https://vuldb.com/?id.336384
  • vuldb.com https://vuldb.com/?submit.710249

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.