CVE-2025-30206 — Vulnetix

CVE-2025-30206 PUBLISHED CVSS 9.800000190734863 CRITICAL

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.

EPSS 0.10% · 27.8th percentile

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.10%

27.8th percentile

Affected Products

Vendor	Product	Versions
donknap	dpanel	*
github.com	donknap/dpanel	0

Timeline

Jan 21, 1970 Security Advisory
Apr 15, 2025 CVE Published
Apr 15, 2025 PoC Published
Apr 16, 2025 EPSS Score
Apr 16, 2025 PoC Published
Apr 16, 2025 PoC Published
Apr 23, 2025 CVE Updated
Apr 28, 2025 EPSS Score
May 10, 2025 EPSS Score
May 21, 2025 EPSS Score
May 28, 2025 Coalition ESS Score
Jun 2, 2025 EPSS Score

References

Open in Interactive Console →