VYPR
Unrated severityNVD Advisory· Published Oct 30, 2025· Updated Oct 31, 2025

JumpServer Unauthorized LDAP Configuration Access via WebSocket

CVE-2025-62795

Description

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Jumpserver/Jumpserverllm-fuzzy2 versions
    <3.10.21-lts, <4.10.12-lts+ 1 more
    • (no CPE)range: <3.10.21-lts, <4.10.12-lts
    • (no CPE)range: < 3.10.21-lts

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.