CVE-2025-62712
📋 TL;DR
An authenticated non-privileged user in JumpServer can retrieve connection tokens belonging to all users via the super-connection API endpoint, allowing them to impersonate other users and gain unauthorized access to managed assets. This affects all JumpServer deployments running versions before v3.10.20-lts and v4.10.11-lts. The vulnerability enables privilege escalation across sensitive systems.
💻 Affected Systems
- JumpServer
📦 What is this software?
Jumpserver by Fit2cloud
Jumpserver by Fit2cloud
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains access to all connection tokens, allowing complete takeover of all managed assets, lateral movement across the entire infrastructure, and potential data exfiltration or system destruction.
Likely Case
An authenticated user (including low-privilege accounts) steals connection tokens from other users, accesses sensitive systems they shouldn't have permission to, and performs unauthorized operations.
If Mitigated
With proper network segmentation and least-privilege access controls, impact is limited to specific segments, but token theft still enables unauthorized access within those segments.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via API endpoint access. The advisory includes technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.10.20-lts and v4.10.11-lts
Vendor Advisory: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6ghx-6vpv-3wg7
Restart Required: Yes
Instructions:
1. Backup your JumpServer configuration and data. 2. Update to v3.10.20-lts (for v3.x) or v4.10.11-lts (for v4.x). 3. Restart all JumpServer services. 4. Verify the fix by checking the version and testing API endpoint restrictions.
🔧 Temporary Workarounds
API Endpoint Restriction
allTemporarily block or restrict access to the vulnerable API endpoint (/api/v1/authentication/super-connection-token/) using web application firewall or reverse proxy rules.
# Example nginx location block
location /api/v1/authentication/super-connection-token/ { deny all; }
Authentication Hardening
allImplement strict authentication controls, multi-factor authentication, and monitor for unusual API access patterns.
🧯 If You Can't Patch
- Implement network segmentation to isolate JumpServer from critical assets
- Enable detailed logging and monitoring for all API access to the super-connection endpoint
🔍 How to Verify
Check if Vulnerable:
Check if authenticated users can access /api/v1/authentication/super-connection-token/ and retrieve tokens not belonging to them.Check Version:
jumpserver --version or check the web interface admin panelVerify Fix Applied:
After patching, verify that authenticated users can only access their own connection tokens via the API endpoint.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /api/v1/authentication/super-connection-token/ from single user
- Unusual connection token usage from unexpected IP addresses or users
Network Indicators:
- Unusual volume of API requests to super-connection endpoint
- Connections to managed assets from JumpServer using unexpected tokens
SIEM Query:
source="jumpserver" AND (url="/api/v1/authentication/super-connection-token/" OR message="super-connection-token")