Cryptographic Vulnerability in Coze-Studio Affects Confidentiality
CVE-2025-9604

6.3MEDIUM

Key Information:

Vendor

Coze

Status
Coze-studio
Vendor
CVE Published:
29 August 2025

What is CVE-2025-9604?

A vulnerability has been identified in Coze-Studio versions up to 0.2.4, affecting key management in the encryption process. The flawed function within the file backend/domain/plugin/encrypt/aes.go allows attackers to exploit hard-coded cryptographic keys, specifically AuthSecretKey, StateSecretKey, and OAuthTokenSecretKey. This remote attack vector requires high complexity for successful exploitation, making it particularly challenging. To mitigate this vulnerability, it is advised to implement a patch and switch to user-defined key management solutions, enhancing the security of encryption tools by utilizing features like random salt.

Affected Version(s)

coze-studio 0.2.0

coze-studio 0.2.1

coze-studio 0.2.2

References

https://vuldb.com/?id.321780
vdb-entrytechnical-description
https://vuldb.com/?ctiid.321780
signaturepermissions-required
https://vuldb.com/?submit.636417
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

kexinoh (VulDB User)
.
CVE-2025-9604 : Cryptographic Vulnerability in Coze-Studio Affects Confidentiality