Introduction
Attackers with access to even a low-privileged JumpServer account can leverage a critical flaw to impersonate administrators and access sensitive assets. This vulnerability, tracked as CVE-2025-62712, affects JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, and enables unauthorized retrieval of connection tokens for any user in the system.
About JumpServer: JumpServer is an open source Privileged Access Management (PAM) platform developed by Fit2Cloud. It is widely used in China and internationally for secure access and audit of infrastructure assets. JumpServer manages SSH, RDP, database, and cloud connections for thousands of organizations, making vulnerabilities in its access control mechanisms highly impactful.
Technical Information
CVE-2025-62712 is a critical authorization vulnerability classified under CWE-862 (Missing Authorization). The issue resides in the /api/v1/authentication/super-connection-token/ API endpoint. In affected versions, this endpoint fails to restrict the returned connection tokens to those owned by or authorized for the requesting user. Instead, it returns all connection tokens present in the database, regardless of ownership.
Vulnerability mechanism:
- Any authenticated user (including non-privileged accounts) can send an HTTP GET request to the vulnerable endpoint.
- The response includes connection tokens for all users, including highly privileged accounts such as administrators.
- These tokens can be used to initiate sessions with managed assets as the original token owners, enabling privilege escalation and unauthorized access.
Root cause:
- The API endpoint does not implement proper authorization checks or filtering based on the requesting user's identity.
- There is no evidence of row-level security or permission validation in the endpoint's logic, allowing unrestricted enumeration of tokens.
Exploitation details:
- Exploitation requires only valid credentials for any user account.
- Attackers can use standard HTTP clients or browser tools to access the endpoint and retrieve tokens.
- No advanced technical skills or exploit code are required.
No public code snippets or vulnerable code samples are available for this issue. All technical details are derived from vendor advisories and public documentation.
Affected Systems and Versions
- JumpServer versions prior to v3.10.20-lts are affected (legacy long-term support branch)
- JumpServer versions prior to v4.10.11-lts are affected (current generation branch)
- Both Community and Enterprise Editions are impacted, as the vulnerability is present in core authentication logic
- The vulnerability is present regardless of deployment configuration
Vendor Security History
JumpServer has experienced multiple authorization and authentication vulnerabilities in recent years. Notable examples include:
- CVE-2023-43652: Core API did not verify requests originated from authorized components, allowing token generation and session impersonation
- CVE-2025-27095: Kubernetes token leakage via kubeconfig file manipulation by low-privileged users
- CVE-2023-42819: Directory traversal vulnerability enabling arbitrary file access
Patch response times have ranged from weeks to months, but recent vulnerabilities have been addressed more rapidly. Security advisories are published through GitHub and official documentation channels.
