CVE-2025-30206

CRITICAL EPSS 49.3%

Published Apr 15, 20251y ago · Modified Jun 17, 20261w ago

9.8 CVSS 3.1

Critical

Published Apr 15, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.

CVSS Details

Base Score

9.8

Exploitability

3.9

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

49.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 3

CWE-321

CWE-453

CWE-547

References 1

github.com https://github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.