CVE-2025-14651 – This vulnerability in MartialBE one-hub involve... (How to Fix)

📋 TL;DR

This vulnerability in MartialBE one-hub involves the use of a hard-coded cryptographic key for session secrets in the docker-compose.yml file. Attackers could potentially decrypt or forge session data, compromising user authentication and authorization. Organizations using the default docker-compose configuration for production deployments are affected.

💻 Affected Systems

Products:

MartialBE one-hub

Versions: Up to and including 0.14.27

Operating Systems: All platforms using Docker

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the default docker-compose.yml file with hard-coded SESSION_SECRET values.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt session data, impersonate users, escalate privileges, and gain unauthorized access to sensitive information and administrative functions.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts and potential data exposure.

🟢

If Mitigated

Minimal impact with proper key rotation and secure configuration management.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit details are publicly available in GitHub issues, though successful exploitation requires specific conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://github.com/MartialBE/one-hub/issues/872

Restart Required: Yes

Instructions:

1. Review docker-compose.yml file
2. Replace hard-coded SESSION_SECRET value with a secure random string
3. Restart all affected containers
4. Rotate all existing session tokens

🔧 Temporary Workarounds

Manual Configuration Update

linux

Manually edit docker-compose.yml to replace hard-coded SESSION_SECRET with environment variable or secure value

sed -i 's/SESSION_SECRET=hardcoded_value/SESSION_SECRET=${SESSION_SECRET}/g' docker-compose.yml

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable instances
Deploy web application firewall with session protection rules

🔍 How to Verify

Check if Vulnerable:

Inspect docker-compose.yml file for hard-coded SESSION_SECRET values (lines 15-38 in reference)

Check Version:

Check package.json or version file in one-hub installation directory

Verify Fix Applied:

Confirm SESSION_SECRET uses environment variable or secure random value, not hard-coded string

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from same session
Session ID reuse across different IPs

Network Indicators:

Unusual session token patterns
Multiple users with identical session characteristics

SIEM Query:

source="application_logs" AND (message="SESSION_SECRET" OR message="invalid session")

📊 Metadata

CVE ID: CVE-2025-14651

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-320

EPSS Score: 0.05% exploit probability (15.6th percentile)

Published: December 14, 2025

Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14651, you might also want to check these: