CVE-2025-30064

Publication date

2025-08-27 10:25:20

Family

CERT-PL

State

PUBLISHED

Description

An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user.