CVE-2025-30206: Dpanel's hard-coded JWT secret leads to remote code execution

April 15, 2025 (updated April 23, 2025)

The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.

References

github.com/advisories/GHSA-j752-cjcj-w847
github.com/donknap/dpanel
github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847
nvd.nist.gov/vuln/detail/CVE-2025-30206
pkg.go.dev/vuln/GO-2025-3612

Code Behaviors & Features

Detect and mitigate CVE-2025-30206 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →