Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-43866

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0.

Published

2025-06-12T18:15:20.713

Last Modified

2025-09-17T18:44:19.670

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-330

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vantage6	vantage6	< 4.11.0	Yes

References

https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh Vendor Advisory ([email protected])