Plateforme
rust
Composant
rustfs
Corrigé dans
1.0.1
1.0.0-alpha.78
CVE-2025-68926 describes a critical authentication bypass vulnerability in RustFS. This flaw allows attackers with network access to execute privileged operations due to a hardcoded, publicly exposed authentication token. The vulnerability affects versions prior to 1.0.0-alpha.78 and has been resolved in the updated version. Immediate action is recommended to mitigate potential risks.
The impact of CVE-2025-68926 is severe. Because the authentication token is hardcoded and publicly available within the RustFS source code, any attacker who can reach the gRPC port can authenticate without credentials. This grants them privileged access, enabling them to perform actions such as data destruction, policy manipulation, and cluster configuration changes. The lack of token rotation and configurability exacerbates the risk, as the same vulnerable token is used across all RustFS deployments. This vulnerability presents a significant risk to data integrity and system availability.
CVE-2025-68926 is currently not listed on the CISA KEV catalog. The EPSS score is likely to be high due to the ease of exploitation (publicly available token) and the potential for significant impact. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector. The vulnerability was published on 2025-12-30.
Organizations deploying RustFS in production environments, particularly those with exposed gRPC ports, are at significant risk. Shared hosting environments or deployments where RustFS is accessible from untrusted networks are especially vulnerable. Legacy configurations that haven't been updated to the latest version are also at increased risk.
• rust: Examine RustFS source code for the hardcoded token "rustfs rpc".
• linux / server: Monitor gRPC traffic (port 50051 by default) for authentication attempts using the token "rustfs rpc". Use tcpdump or wireshark to capture and analyze network packets.
• generic web: Check RustFS gRPC endpoints for unauthorized access. Use curl to attempt authentication with the known token: curl -H 'Authorization: rustfs rpc' <grpc_endpoint>.
disclosure
Statut de l'Exploit
EPSS
10.61% (percentile 93%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-68926 is to upgrade RustFS to version 1.0.0-alpha.78 or later, which includes the fix for the hardcoded token. If an immediate upgrade is not feasible, consider implementing network segmentation to restrict access to the gRPC port. While a WAF or proxy cannot directly address the hardcoded token issue, they can provide an additional layer of defense by monitoring for suspicious gRPC traffic. There are no specific configuration workarounds beyond upgrading. After upgrading, confirm the fix by attempting to authenticate with the original token; it should be rejected.
Mettez à jour RustFS à la version 1.0.0-alpha.78 ou supérieure. Cette version corrige la vulnérabilité d'authentification par jeton codé en dur. La mise à jour supprimera le jeton statique et nécessitera une configuration d'authentification plus sécurisée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-68926 is a critical vulnerability in RustFS where a hardcoded, publicly exposed token allows attackers to bypass authentication and gain privileged access.
If you are running RustFS versions prior to 1.0.0-alpha.78, you are affected by this vulnerability. Assess your deployments immediately.
Upgrade RustFS to version 1.0.0-alpha.78 or later to resolve the authentication bypass vulnerability. This is the recommended and primary mitigation.
While there is no confirmed active exploitation at this time, the ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the official RustFS project repository and release notes for the advisory and detailed information regarding the fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Cargo.lock et nous te dirons instantanément si tu es affecté.