Unrated severityNVD Advisory· Published Oct 30, 2025· Updated Oct 31, 2025
JumpServer Unauthorized LDAP Configuration Access via WebSocket
CVE-2025-62795
Description
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<3.10.21-lts, <4.10.12-lts+ 1 more
- (no CPE)range: <3.10.21-lts, <4.10.12-lts
- (no CPE)range: < 3.10.21-lts
Patches
Vulnerability mechanics
References
1- github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.