CVE-2025-13877

Name of the Vulnerable Software and Affected Versions nocobase versions 1.9.4 and 2.0.0-alpha.37

Description A security issue exists in nocobase that allows for remote attacks with high complexity and difficult exploitability. The issue involves the manipulation of the API KEY argument within an unknown function in the file nocobasepackagescoreauthsrcbasejwt-service.ts of the JWT Service component, leading to the use of a hard-coded cryptographic key. The exploit is publicly available. The vendor was notified but did not respond.

Recommendations Versions prior to 1.9.4 and 2.0.0-alpha.37 should be updated.