Name of the Vulnerable Software and Affected Versions Flood (affected versions not specified)

Description A critical issue allows Flood's built-in authentication to be bypassed. This is due to the server JWT signing secret being included in static assets and served to clients. An intruder can use this secret to sign authentication tokens themselves, bypassing Flood's access control. Given Flood's access to rTorrent's SCGI interface, which is unprotected and allows arbitrary code execution, and its lack of security controls against authenticated users, the severity of this issue is critical.

Recommendations To resolve the issue, users should upgrade if they use Flood's built-in authentication system. As a temporary workaround, consider using HTTP Basic Auth or other battle-hardened authentication methods instead of Flood's in-house one. Users can use disableUsersAndAuth to avoid duplicate authentication. Restrict access to sensitive components until a patch is applied. Apply the patch from commit 042cb4ce or 103f53c8 to remove the imports of config.js from client components and add an eslint rule to prevent config.js from being imported to client components. Apply the general mitigation from commit 103f53c8 to search static assets and ensure the secret is not included before starting the server.