CVE-2025-64097 – This vulnerability in NervesHub allows attacker... (How to Fix)

Q: What is the severity of CVE-2025-64097?

CVE-2025-64097 has a CVSS score of 9.8 (CRITICAL). This vulnerability in NervesHub allows attackers to brute-force user API tokens due to their predictable format, potentially granting unauthorized access to user accounts and API actions. It affects all NervesHub deployments from version 1.0.0 up to (but not including) 2.3.0. The vulnerability stems from tokens containing user-identifiable components and lacking cryptographic security.

📋 TL;DR

This vulnerability in NervesHub allows attackers to brute-force user API tokens due to their predictable format, potentially granting unauthorized access to user accounts and API actions. It affects all NervesHub deployments from version 1.0.0 up to (but not including) 2.3.0. The vulnerability stems from tokens containing user-identifiable components and lacking cryptographic security.

💻 Affected Systems

Products:

NervesHub

Versions: 1.0.0 to 2.2.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All NervesHub deployments using the vulnerable versions are affected regardless of configuration.

📦 What is this software?

Nerveshub by Nerves Hub

View all CVEs affecting Nerveshub →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the NervesHub system, allowing them to push malicious firmware updates to all connected devices, potentially compromising entire IoT fleets.

🟠

Likely Case

Attackers gain access to individual user accounts, allowing them to view/manage devices, access sensitive data, or perform unauthorized API actions.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the NervesHub service itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Token enumeration/brute-forcing is straightforward due to predictable token formats. No authentication required to attempt exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0

Vendor Advisory: https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m

Restart Required: Yes

Instructions:

1. Backup your NervesHub database and configuration. 2. Update to version 2.3.0 or later using your package manager or deployment method. 3. Restart the NervesHub service. 4. All existing tokens will be invalidated and users will need to generate new ones.

🔧 Temporary Workarounds

Network Access Restriction

linux

Limit access to NervesHub server using firewall rules to only trusted IP addresses/networks.

# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP_RANGE -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to NervesHub only from trusted networks.
Monitor authentication logs for unusual token usage patterns and implement rate limiting at network/application level.

🔍 How to Verify

Check if Vulnerable:

Check NervesHub version: if running version >=1.0.0 and <2.3.0, you are vulnerable.

Check Version:

Check your deployment method (e.g., `mix nerves_hub.version` for Elixir deployments or check Docker image tags)

Verify Fix Applied:

Verify version is 2.3.0 or later and check that new tokens are cryptographically random (not containing user-identifiable patterns).

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts with different tokens
Unusual token patterns in authentication logs
Authentication from unexpected IP addresses

Network Indicators:

High volume of authentication requests to NervesHub API endpoints
Traffic patterns suggesting token enumeration

SIEM Query:

source="nerveshub" (event="auth_failure" AND token="*user_identifiable_pattern*") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-64097

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-330

EPSS Score: 0.05% exploit probability (16.2th percentile)

Published: January 22, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/nerves-hub/nerves_hub_web/pull/2024 Issue Tracking,Patch
https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0 Product,Release Notes
https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64097, you might also want to check these: