VYPR
High severityNVD Advisory· Published Aug 27, 2025· Updated Apr 15, 2026

CVE-2025-30064

CVE-2025-30064

Description

An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.