← Retour aux CVEs

CVE-2025-66910

MEDIUM

6.0

Description

Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection.

Details CVE

Score CVSS v3.16.0

SeveriteMEDIUM

Vecteur CVSSCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Vecteur d'attaqueLOCAL

ComplexiteLOW

Privileges requisHIGH

Interaction utilisateurNONE

Publie12/19/2025

Derniere modification1/2/2026

Sourcenvd

Observations honeypot0

Produits affectes

turms-im:turms

Faiblesses (CWE)

CWE-256CWE-532

References

https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md(cve@mitre.org)

https://github.com/turms-im/turms(cve@mitre.org)

https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34(cve@mitre.org)

https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237(cve@mitre.org)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.