CVE-2025-62712 Overview
CVE-2025-62712 is a missing authorization vulnerability [CWE-862] in JumpServer, an open source bastion host and operations security audit system maintained by Fit2Cloud. The flaw resides in the super-connection token API endpoint at /api/v1/authentication/super-connection-token/. When the endpoint is accessed from a web browser, it returns connection tokens created by all users instead of restricting the result set to tokens owned by or authorized for the requester. An authenticated, non-privileged user can collect these tokens and reuse them to initiate sessions against managed assets on behalf of other users, leading to unauthorized access and privilege escalation across systems brokered by JumpServer.
Critical Impact
Authenticated low-privileged users can harvest other users' connection tokens and pivot into managed assets, bypassing JumpServer's session brokering controls.
Affected Products
- Fit2Cloud JumpServer versions prior to v3.10.20-lts
- Fit2Cloud JumpServer 4.x versions prior to v4.10.11-lts
- Deployments exposing the /api/v1/authentication/super-connection-token/ endpoint to authenticated users
Discovery Timeline
- 2025-10-30 - CVE-2025-62712 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2025-62712
Vulnerability Analysis
JumpServer issues short-lived connection tokens that authorize sessions to managed assets such as servers, databases, and network devices. The super-connection token endpoint was intended to expose tokens scoped to the calling identity. Instead, the list view of /api/v1/authentication/super-connection-token/ returned tokens belonging to every user when invoked from a browser context. Any authenticated account, regardless of role, could enumerate these tokens by issuing a standard GET request after logging in.
Because connection tokens function as bearer credentials inside JumpServer, an attacker who collects them can replay each token to open a session as the original owner. This converts a low-privileged JumpServer account into a stepping stone for accessing privileged assets that the attacker was never authorized to reach. The vulnerability is tracked under CWE-862: Missing Authorization.
Root Cause
The root cause is missing object-level authorization in the connection token retrieve and list logic within apps/authentication/api/connection_token.py. The view did not filter the queryset by the requesting user or verify ownership before returning token records, so the response set leaked tokens issued to other identities.
Attack Vector
The attack is remote and network-reachable, requires a valid low-privileged JumpServer login, and needs no user interaction. An attacker authenticates, navigates to or fetches the super-connection token API in a browser session, parses the returned tokens, and uses them to initiate connections to assets bound to those tokens.
# Source: https://github.com/jumpserver/jumpserver/commit/453ad331eec9d9667a38de735d6612608e558491
# Patch excerpt from apps/authentication/api/connection_token.py
self.validate_serializer(serializer)
return super().perform_create(serializer)
def _insert_connect_options(self, data, user):
connect_options = data.pop('connect_options', {})
default_name_opts = {
The upstream commit 453ad331eec9d9667a38de735d6612608e558491 adjusts token retrieval logic so that the queryset is constrained to the requesting user before responses are serialized.
Detection Methods for CVE-2025-62712
Indicators of Compromise
- HTTP GET requests to /api/v1/authentication/super-connection-token/ from accounts that do not normally administer JumpServer.
- Connection token IDs appearing in session initiation requests from a user different from the token's original owner.
- Spikes in successful asset connections originating from a single low-privileged JumpServer account across unrelated asset groups.
Detection Strategies
- Audit JumpServer application logs and web access logs for requests to the super-connection-token endpoint and correlate the requesting user with the returned token owners.
- Alert on any non-admin account that retrieves more than a small baseline of connection tokens within a short interval.
- Compare the user field on issued tokens with the authenticated principal that subsequently consumes them in connect actions.
Monitoring Recommendations
- Forward JumpServer audit logs and reverse proxy access logs to a centralized SIEM and retain them long enough to support retrospective hunting.
- Track session establishment events to privileged assets and flag sessions opened by accounts without a documented business need for those targets.
- Monitor for new or unexpected API consumers of the authentication endpoints, particularly browser-based requests carrying session cookies for standard users.
How to Mitigate CVE-2025-62712
Immediate Actions Required
- Upgrade JumpServer to v3.10.20-lts or v4.10.11-lts or later as soon as possible.
- Rotate or invalidate existing connection tokens issued before the upgrade to prevent replay of previously exposed tokens.
- Review JumpServer audit logs for prior access to /api/v1/authentication/super-connection-token/ by non-administrative users and investigate any matches.
Patch Information
Fit2Cloud fixed the issue in JumpServer v3.10.20-lts and v4.10.11-lts. The corrective change is published in the upstream repository as commit 453ad331eec9d9667a38de735d6612608e558491 and described in the GitHub Security Advisory GHSA-6ghx-6vpv-3wg7.
Workarounds
- Restrict network access to the JumpServer management interface so that only trusted administrative networks can reach the authentication API endpoints until patching is complete.
- Temporarily reduce the population of authenticated users on the platform and force password resets to limit the pool of accounts capable of querying the vulnerable endpoint.
- Shorten connection token lifetimes in JumpServer configuration to limit the window during which a leaked token remains usable.
# Verify the installed JumpServer version after upgrade
docker exec -it jms_core bash -lc 'cat /opt/jumpserver/apps/jumpserver/const.py | grep VERSION'
# Confirm the patched endpoint behavior by checking that a non-admin user
# only receives their own tokens (response should be filtered)
curl -s -H "Authorization: Bearer <user_token>" \
https://jumpserver.example.com/api/v1/authentication/super-connection-token/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
