CVE-2025-29314: 
Java vulnerability analysis and mitigation

CVE-2025-29314 affects OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below. The vulnerability stems from insecure Shiro cookie configurations that allow attackers to access sensitive information through man-in-the-middle attacks. The issue was discovered and disclosed on March 24, 2025 (NVD).

The vulnerability exists due to Shiro's default settings disabling Secure and HttpOnly flags (secureCookies=false, httpOnly=false) in the cookie configuration. This exposes session IDs to plaintext transmission over HTTP and client-side script access. The CVSS v3.1 base score is 8.1 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, CSDN Blog).

The vulnerability allows attackers to intercept session IDs via man-in-the-middle attacks and reuse them for unauthorized access. This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive SFC configurations. Attackers can potentially manipulate service chains and disrupt network services (CSDN Blog).

Organizations should enable Secure and HttpOnly flags in Shiro's cookie configuration, implement session ID regeneration after authentication, and strengthen authorization mechanisms. Additionally, implementing proper session validation that checks user identity and context can help prevent session hijacking attacks (CSDN Blog).