CVE-2025-30206

Published Apr 15, 2025

Last updated 2 months ago

CVSS critical 9.8

Overview

Description
Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-321

Social media

Hype score
Not currently trending

  1. #CVE-2025-30206 https://t.co/HHvzFwKzSA Although it is not directly hard-coded, it further proves that humans are the most unreliable. https://t.co/VGRQyAjDZI

    @_r00tuser

    16 Apr 2025

    692 Impressions

    1 Retweet

    7 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-30206 Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default c… https://t.co/4RIOvcRQ0L

    @CVEnew

    15 Apr 2025

    228 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-30206: CRITICAL] Security flaw in Dpanel's Docker management system: hardcoded JWT secret in default config allows attackers to generate valid tokens, compromising host machine. Patched in v1.6.1.#cve,CVE-2025-30206,#cybersecurity https://t.co/dR1LBveZut https://t.co/ZR

    @CveFindCom

    15 Apr 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.