Encryption of sensitive data in CapillaryScope missing
CapillaryScope, versions prior to 2.5.0.
INCIBE has coordinated the publication of a medium severity vulnerability affecting CapillaryScope from Capillary io, a tool for automatically analysing capillaroscopy images. The vulnerability was discovered by Ismael Melchor Juan and Pedro José Navas Pérez.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:
- CVE-2025-40680: CVSS v4.0: 6.9 | CVSS AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N | CWE-311
The vulnerability has been fixed by the Capillary io team in version 2.5.1.
CVE-2025-40680: lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT session token in plain text within different registry keys on the Windows operating system. Any authenticated local user with read access to the registry can extract these sensitive values.
