Guide for Mitigating CVE-2025-52562

[ericwang401]

We have released v4.5.0, a critical security update and the second and final patch addressing CVE-2025-52562.

All users running affected versions (≥ v3.9.0-rc.3, ≤ v4.4.0) are strongly urged to upgrade to v4.5.0 immediately.
Even if you have already updated to v4.4.1, this release includes additional, essential security enhancements and must be applied to ensure complete protection.

---

Manual Action Required

This update is not fully automated. It includes critical steps for key rotation that must be performed manually to fully secure your environment.

Important

Before proceeding, back up your Convoy folder.
Simply duplicate the folder and store it in a safe location.

---

Step-by-Step Instructions

1. Update your panel
   Ensure you have updated to v4.5.0.

2. Run the key rotation script (in the folder containing your Convoy installation)

   This script will rotate your DB_PASSWORD and REDIS_PASSWORD values in the .env file. You will also be prompted to optionally rotate your APP_KEY.

   If you opt to rotate the APP_KEY, it will be replaced and the previous key will be saved under a new APP_PREVIOUS_KEYS variable to minimize service disruption.

3. Verify your environment file
   Review your .env file to ensure there are no formatting errors or missing values. While the script handles most setups, unique configurations may require manual verification.

4. Completion
   At this point, the critical update is complete. However, we strongly encourage you to continue with the additional credential rotations outlined below.

---

Rotating Additional Credentials (Strongly Recommended)

We strongly recommend rotating the following credentials, as they may have been exposed through this vulnerability:

• Proxmox VE tokens
  Refer to this token generation guide
• Application API keys
  For integrations such as WHMCS, Blesta, and others
• Coterm keys

---

What About the First Patch?

Patch 2 includes changes from patch 1 (v4.4.1). If you haven't updated to v4.4.1 already, you can update directly to patch 2, and there is no additional action needed.

---

Optional Integrity Checks

For environments where security assurance is critical, consider the following inspections:

• Review your database for any unauthorized users or changes to privileges
• Audit your Proxmox nodes for unusual or suspicious activity
• Examine the host machine running Convoy for unexpected behavior or processes

Please note: This list is not exhaustive but should serve as a practical starting point for system integrity checks.

---

If you have any questions or encounter issues, feel free to reach out or start a discussion.

Disclosure: this post was written by a human and edited by AI