CVE-2025-9604 | coze-studio up to 0.2.4 aes.go AuthSecretKey/StateSecretKey/OAuthTokenSecretKey hard-coded key (Issue 505)

A vulnerability has been found in coze-studio up to 0.2.4 and classified as problematic. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey leads to use of hard-coded cryptographic key
.

This vulnerability is traded as CVE-2025-9604. It is possible to initiate the attack remotely. There is no exploit available.

To fix this issue, it is recommended to deploy a patch.

The vendor replied to the GitHub issue (translated from simplified Chinese): “For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt.”

CVE-2025-9604 | coze-studio up to 0.2.4 aes.go AuthSecretKey/StateSecretKey/OAuthTokenSecretKey hard-coded key (Issue 505)

Post correlati

CVE-2025-5291 | Master Slider Plugin up to 3.10.8 on WordPress Shortcode ms_slide cross site scripting

CVE-2025-50989 | OPNsense 25.1 interfaces_bridge_edit.php span command injection

CVE-2024-0333 | Google Chrome prior 120.0.6099.216 Extensions input validation

CVE-2022-36764 | TianoCore EDK2 up to 202311 Tcg2MeasurePeImage heap-based overflow (GHSA-4hcq-p8q8-hj8j)