CVE-2025-67745 – MyHoard versions 1.0.1 through 1.2.x log backup... (How to Fix)

Q: What is the severity of CVE-2025-67745?

CVE-2025-67745 has a CVSS score of 7.1 (HIGH). MyHoard versions 1.0.1 through 1.2.x log backup information including encryption keys in certain cases, potentially exposing sensitive database backup encryption. This affects organizations using MyHoard for MySQL backup management who haven't updated to version 1.3.0 or implemented workarounds.

📋 TL;DR

MyHoard versions 1.0.1 through 1.2.x log backup information including encryption keys in certain cases, potentially exposing sensitive database backup encryption. This affects organizations using MyHoard for MySQL backup management who haven't updated to version 1.3.0 or implemented workarounds.

💻 Affected Systems

Products:

MyHoard

Versions: 1.0.1 through 1.2.x

Operating Systems: All platforms running MyHoard

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability occurs in specific logging scenarios during backup operations, not all configurations may trigger the logging.

📦 What is this software?

Myhoard by Aiven

View all CVEs affecting Myhoard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to encrypted MySQL backups and decrypt them using exposed keys, leading to full database compromise and data exfiltration.

🟠

Likely Case

Unauthorized users with log access can extract encryption keys and decrypt backup files, potentially exposing sensitive database contents.

🟢

If Mitigated

With proper log security and access controls, the exposed keys remain inaccessible to attackers, limiting potential damage.

🌐 Internet-Facing: MEDIUM - If logs are exposed via web interfaces or misconfigured logging systems, encryption keys could be extracted remotely.

🏢 Internal Only: HIGH - Internal users with log access can easily extract encryption keys and decrypt backups without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires access to logs containing the exposed encryption keys.

Exploitation requires access to MyHoard logs where backup information is recorded.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.0

Vendor Advisory: https://github.com/Aiven-Open/myhoard/security/advisories/GHSA-v42r-6hr9-4hcr

Restart Required: Yes

Instructions:

1. Stop MyHoard service. 2. Update to version 1.3.0 using package manager or manual installation. 3. Restart MyHoard service. 4. Verify logs no longer contain encryption keys.

🔧 Temporary Workarounds

Redirect logs to /dev/null

linux

Prevent logging of sensitive backup information by directing MyHoard logs to null device.

Configure MyHoard logging to output to /dev/null in your logging configuration

🧯 If You Can't Patch

Implement strict access controls on MyHoard log files and directories
Regularly audit and monitor log files for exposure of encryption keys

🔍 How to Verify

Check if Vulnerable:

Check MyHoard version and examine logs for backup operations containing encryption key strings.

Check Version:

myhoard --version

Verify Fix Applied:

After updating to 1.3.0, verify that backup operation logs no longer contain encryption key information.

📡 Detection & Monitoring

Log Indicators:

Log entries containing 'encryption_key', 'backup_key', or similar strings in backup-related log messages

Network Indicators:

Unusual access patterns to log files or backup storage locations

SIEM Query:

source="myhoard.log" AND ("encryption_key" OR "backup_key")

📊 Metadata

CVE ID: CVE-2025-67745

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-402

EPSS Score: 0.02% exploit probability (5.6th percentile)

Published: December 18, 2025

Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67745, you might also want to check these: