Unrated severityNVD Advisory· Published Oct 30, 2025· Updated Oct 31, 2025

JumpServer Unauthorized LDAP Configuration Access via WebSocket

CVE-2025-62795

Description

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.

Affected products

Jumpserver/Jumpserverv5
Range: < 3.10.21-lts

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000