PT-2026-25881 · Npm · @Frangoteam/Fuxa
Publicado
2026-03-07
·
Atualizado
2026-03-07
CVSS v4.0
8.1
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
FUXA used a static fallback JWT signing secret (
frangoteam751) when no secretCode was configured.If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.
This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no
secretCode is provided.Correção
Using Hardcoded Credentials
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
@Frangoteam/Fuxa