CVE-2025-21604
CVE-2025-21604 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-328.
Key facts
- Severity: Medium (CVSS 4.0 base score 6.9)
- EPSS exploit prediction: 0% (16th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-2569
- Weakness: CWE-328
- Published:
- Last modified:
Description
LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0.
Frequently asked questions
- What is CVE-2025-21604?
- LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0.
- How severe is CVE-2025-21604?
- CVE-2025-21604 has a CVSS 4.0 base score of 6.9, rated medium severity.
- Is CVE-2025-21604 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (16th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-21604?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-21604 have an EU (EUVD) identifier?
- Yes. CVE-2025-21604 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-2569.
- When was CVE-2025-21604 published?
- CVE-2025-21604 was published on 2025-01-06 and last updated on 2026-06-17.
References
- https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a
- https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v
Other CWE-328 vulnerabilities
- CVE-2026-36182 — Critical (CVSS 9.8): GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing…
- CVE-2020-37168 — Critical (CVSS 9.8): Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force…
- CVE-2025-41652 — Critical (CVSS 9.8): The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated…
- CVE-2025-27595 — Critical (CVSS 9.8): The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily…
- CVE-2022-45141 — Critical (CVSS 9.8): Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and…
- CVE-2023-0452 — Critical (CVSS 9.8): Econolite EOS versions prior to 3.2.23 use a weak hash algorithm for encrypting privileged user credentials. A…