CVE-2025-62795
📋 TL;DR
This vulnerability allows low-privileged authenticated users in JumpServer to bypass authorization checks and invoke LDAP configuration tests or synchronization via WebSocket messages. This could expose LDAP credentials or trigger unintended synchronization operations. All JumpServer deployments prior to the fixed versions are affected.
💻 Affected Systems
- JumpServer
📦 What is this software?
Jumpserver by Fit2cloud
Jumpserver by Fit2cloud
⚠️ Risk & Real-World Impact
Worst Case
LDAP credentials are exposed, allowing attackers to compromise the LDAP directory, or unauthorized synchronization disrupts user access and system operations.
Likely Case
Attackers with low-privileged access can trigger LDAP synchronization, potentially causing service disruption or exposing limited LDAP data.
If Mitigated
With proper network segmentation and monitoring, impact is limited to internal disruption without credential exposure.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted WebSocket messages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.10.21-lts and v4.10.12-lts
Vendor Advisory: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update JumpServer to v3.10.21-lts or v4.10.12-lts using your deployment method (Docker, package manager, etc.). 3. Restart the JumpServer service. 4. Verify functionality post-update.
🔧 Temporary Workarounds
Restrict WebSocket Access
allLimit access to the /ws/ldap/ WebSocket endpoint using network controls or WAF rules.
Disable LDAP Integration
allTemporarily disable LDAP configuration if not essential, reducing attack surface.
🧯 If You Can't Patch
- Implement strict access controls to limit low-privileged user access to JumpServer.
- Monitor WebSocket traffic to /ws/ldap/ for unusual activity and alert on unauthorized attempts.
🔍 How to Verify
Check if Vulnerable:
Check JumpServer version via web interface or configuration files; if below v3.10.21-lts or v4.10.12-lts, it is vulnerable.Check Version:
docker inspect jumpserver/jumpserver:latest | grep version OR check web admin interfaceVerify Fix Applied:
Confirm version is v3.10.21-lts or v4.10.12-lts and test LDAP configuration functionality works as expected.📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket connections to /ws/ldap/ from low-privileged users
- LDAP synchronization events triggered by non-admin users
Network Indicators:
- WebSocket traffic to /ws/ldap/ endpoint with crafted messages
SIEM Query:
source="jumpserver" AND (url_path="/ws/ldap/" OR event="ldap_sync") AND user_role!="admin"