CWE-547
Use of Hard-coded, Security-relevant Constants
BaseDraft
Description
The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed. Making changes to these values will require code changes that may be difficult or impossible once the system is released to the field. In addition, these hard-coded values may become available to attackers if the code is ever disclosed.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (7)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-49151 | Cri | 0.60 | — | 0.01 | Jun 25, 2025 | The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication. | |
| CVE-2025-30206 | Cri | 0.57 | 9.8 | 0.00 | Apr 15, 2025 | Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage. | |
| CVE-2025-2081 | Hig | 0.57 | — | 0.00 | Mar 13, 2025 | Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients. | |
| CVE-2025-2079 | Hig | 0.57 | — | 0.00 | Mar 13, 2025 | Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions. | |
| CVE-2024-39888 | Hig | 0.49 | 7.5 | 0.00 | Jul 9, 2024 | A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised. | |
| CVE-2024-41885 | Med | 0.36 | — | 0.01 | Dec 24, 2024 | Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the NVR. The seed string for the encrypt key was hardcoding. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | |
| CVE-2025-23253 | Low | 0.16 | 2.5 | 0.00 | Apr 22, 2025 | NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. |