Security Flaw in MartialBE one-hub Docker Configuration
CVE-2025-14651

6.3MEDIUM

Key Information:

Vendor: Martialbe
Status: One-hub
Vendor: CVE Published:; 14 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-14651?

A vulnerability exists in MartialBE one-hub versions up to 0.14.27 that affects the docker-compose.yml configuration file. Specifically, the SESSION_SECRET argument is hard-coded, leading to potential exploitation via remote attacks. While exploiting this vulnerability requires a high level of complexity, it has been disclosed publicly and could be leveraged by malicious actors. Users are strongly advised to modify the default docker-compose settings, as the maintainer cautions that the default configuration is unsuitable for production environments. A thorough review and customization of every configuration and environment variable is recommended.

Affected Version(s)

one-hub 0.14.0

one-hub 0.14.1

one-hub 0.14.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-14651 - Proof of Concept

References

https://vuldb.com/?id.336384

vdb-entrytechnical-description

https://vuldb.com/?ctiid.336384

signaturepermissions-required

https://vuldb.com/?submit.710249

third-party-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 14, 2025
👾
Exploit known to exist
Dec 14, 2025
Vulnerability published
Dec 14, 2025
Vulnerability Reserved
Dec 13, 2025

Credit

28Hus (VulDB User)

JSON

Martialbe

Badges

What is CVE-2025-14651?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit