CVE-2025-65730: Critical Authentication Bypass in GoAway – Update Immediately!

Overview

CVE-2025-65730 describes an authentication bypass vulnerability found in GoAway, a project (likely a service or application) up to version 0.62.18. The vulnerability stems from the use of a hardcoded secret key for signing JSON Web Tokens (JWTs), which are used for authentication. This allows attackers to forge valid JWTs and gain unauthorized access to the system. The vulnerability is fixed in version 0.62.19.

Technical Details

The vulnerability resides in the authentication mechanism of GoAway. Specifically, the application used a hardcoded string as the secret key for signing JWTs. This secret key was present in the source code and therefore easily discoverable. An attacker could extract this secret key and use it to create their own JWTs, impersonating any user, including administrative accounts.

The affected code can be found in the following files (version 0.62.18):

• backend/api/auth.go – Authentication logic
• backend/api/middleware.go – Middleware for authentication
• backend/api/middleware.go – Middleware setup
• backend/api/middleware.go – More Middleware setup
• backend/api/middleware.go – Even more Middleware setup
• backend/api/middleware.go – And more Middleware setup

The fix introduced a secure method for generating and managing the secret key. Details of the specific change can be found in the commit:

• Commit fixing the hardcoded secret

CVSS Analysis

Currently, the CVE does not have a CVSS score assigned. However, due to the nature of the vulnerability (authentication bypass), it would likely receive a Critical severity rating once assessed. The ability to bypass authentication entirely allows for complete system compromise.

Possible Impact

The impact of this vulnerability is severe. Successful exploitation allows an attacker to:

• Gain complete control over the GoAway application.
• Access sensitive data managed by the application.
• Modify or delete data.
• Potentially pivot to other systems on the network, depending on the application’s role and permissions.
• Disrupt service availability.

Mitigation and Patch Steps

The primary mitigation is to upgrade to GoAway version 0.62.19 or later immediately. This version contains the fix for the hardcoded secret key vulnerability.

1. Identify affected systems: Determine which systems are running vulnerable versions of GoAway (<= 0.62.18).
2. Back up your data: Before applying any updates, back up the application data and configuration.
3. Upgrade GoAway: Follow the official upgrade instructions provided by the GoAway project. You can find the latest release here: GoAway Releases. Even though this release tag is less than 0.62.19, always refer to the official releases page for the *latest* version.
4. Verify the fix: After upgrading, verify that the authentication mechanism is using a securely generated and managed secret key.
5. Monitor for suspicious activity: Keep an eye on your logs and systems for any signs of unauthorized access or malicious activity.

References

• CVE-2025-65730 Details on GitHub
• GoAway backend/api/auth.go
• GoAway backend/api/middleware.go
• GoAway backend/api/middleware.go
• GoAway backend/api/middleware.go
• GoAway backend/api/middleware.go
• GoAway backend/api/middleware.go
• GoAway Commit: Fix Hardcoded Secret
• GoAway Releases