JWT Token Handler Vulnerability in Done-0 Jank Affected by Hard-Coded Secrets
CVE-2025-7080

6.3MEDIUM

Key Information:

Vendor

Done-0

Status
Jank
Vendor
CVE Published:
6 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-7080?

A vulnerability in the JWT Token Handler of Done-0 Jank has been identified, where hard-coded passwords can be exploited due to inadequate access control in the arguments accessSecret and refreshSecret. This issue allows a remote attacker to manipulate these arguments, leading to unauthorized access through the use of hard-coded secrets. The complexity of exploiting this vulnerability is high, and while it has been publicly disclosed, the process of executing the exploit is considered challenging. Due to the continuous delivery model employed by the product, specific version details for affected and updated releases are not clearly outlined.

Affected Version(s)

Jank 322caebbad10568460364b9667aa62c3080bfc17

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-7080 - Proof of Concept

References

https://vuldb.com/?id.314994
vdb-entrytechnical-description
https://vuldb.com/?ctiid.314994
signaturepermissions-required
https://vuldb.com/?submit.603746
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tritium (VulDB User)
.
CVE-2025-7080 : JWT Token Handler Vulnerability in Done-0 Jank Affected by Hard-Coded Secrets