Plattform
rust
Komponente
rustfs
Behoben in
1.0.1
1.0.0-alpha.78
CVE-2025-68926 describes a critical authentication bypass vulnerability in RustFS. This flaw allows attackers with network access to execute privileged operations due to a hardcoded, publicly exposed authentication token. The vulnerability affects versions prior to 1.0.0-alpha.78 and has been resolved in the updated version. Immediate action is recommended to mitigate potential risks.
The impact of CVE-2025-68926 is severe. Because the authentication token is hardcoded and publicly available within the RustFS source code, any attacker who can reach the gRPC port can authenticate without credentials. This grants them privileged access, enabling them to perform actions such as data destruction, policy manipulation, and cluster configuration changes. The lack of token rotation and configurability exacerbates the risk, as the same vulnerable token is used across all RustFS deployments. This vulnerability presents a significant risk to data integrity and system availability.
CVE-2025-68926 is currently not listed on the CISA KEV catalog. The EPSS score is likely to be high due to the ease of exploitation (publicly available token) and the potential for significant impact. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector. The vulnerability was published on 2025-12-30.
Organizations deploying RustFS in production environments, particularly those with exposed gRPC ports, are at significant risk. Shared hosting environments or deployments where RustFS is accessible from untrusted networks are especially vulnerable. Legacy configurations that haven't been updated to the latest version are also at increased risk.
• rust: Examine RustFS source code for the hardcoded token "rustfs rpc".
• linux / server: Monitor gRPC traffic (port 50051 by default) for authentication attempts using the token "rustfs rpc". Use tcpdump or wireshark to capture and analyze network packets.
• generic web: Check RustFS gRPC endpoints for unauthorized access. Use curl to attempt authentication with the known token: curl -H 'Authorization: rustfs rpc' <grpc_endpoint>.
disclosure
Exploit-Status
EPSS
10.61% (93% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68926 is to upgrade RustFS to version 1.0.0-alpha.78 or later, which includes the fix for the hardcoded token. If an immediate upgrade is not feasible, consider implementing network segmentation to restrict access to the gRPC port. While a WAF or proxy cannot directly address the hardcoded token issue, they can provide an additional layer of defense by monitoring for suspicious gRPC traffic. There are no specific configuration workarounds beyond upgrading. After upgrading, confirm the fix by attempting to authenticate with the original token; it should be rejected.
Aktualisieren Sie RustFS auf Version 1.0.0-alpha.78 oder höher. Diese Version behebt die Authentifizierungs-Sicherheitslücke durch hardcoded Token. Das Update entfernt das statische Token und erfordert eine sicherere Authentifizierungskonfiguration.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68926 is a critical vulnerability in RustFS where a hardcoded, publicly exposed token allows attackers to bypass authentication and gain privileged access.
If you are running RustFS versions prior to 1.0.0-alpha.78, you are affected by this vulnerability. Assess your deployments immediately.
Upgrade RustFS to version 1.0.0-alpha.78 or later to resolve the authentication bypass vulnerability. This is the recommended and primary mitigation.
While there is no confirmed active exploitation at this time, the ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the official RustFS project repository and release notes for the advisory and detailed information regarding the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Cargo.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.