CVE-2025-47945

Name of the Vulnerable Software and Affected Versions: Donetick versions prior to 0.1.44

Description: The issue concerns the use of JSON Web Tokens (JWT) for authentication in Donetick, an open-source task management application. Prior to version 0.1.44, the application uses a weak default signing secret, which can be exploited to gain full control of any user's account. This vulnerability is demonstrated by its existence in the live version of the application. The responsibility to change the signing secret is left to the system administrator, but this approach is considered inadequate.

Recommendations: For versions prior to 0.1.44, update to version 0.1.44 or later to patch the vulnerability. As a temporary workaround, consider changing the default signing secret to a stronger value to minimize the risk of exploitation. Restrict access to sensitive features that rely on JWT authentication until the update is applied.