CVE-2025-69971
Hard-Coded JWT Secret in FUXA 1.2.7 Enables Admin Access
Publication date: 2026-02-03
Last updated on: 2026-02-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frangoteam | fuxa | 1.2.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
FUXA version 1.2.7 contains a vulnerability due to a hard-coded credential in the file server/api/jwt-helper.js.
Specifically, the application uses a hard-coded secret key to sign and verify JWT tokens.
Because of this, remote attackers can forge valid admin tokens, allowing them to bypass authentication.
This means attackers can gain full administrative access to the application without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows attackers to bypass authentication and gain full administrative access remotely.
With administrative privileges, attackers can manipulate data, change configurations, access sensitive information, and potentially disrupt the application's normal operations.
This can lead to data breaches, loss of data integrity, unauthorized changes, and overall compromise of the system's security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a hard-coded secret key in the file server/api/jwt-helper.js used to sign and verify JWT tokens, allowing attackers to forge admin tokens.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check the source code of the FUXA application, specifically the server/api/jwt-helper.js file, for the presence of hard-coded secret keys.'}, {'type': 'paragraph', 'content': 'On a deployed system, you can monitor network traffic for JWT tokens and attempt to verify if tokens can be forged or if tokens use a known static secret.'}, {'type': 'list_item', 'content': "Search the codebase for hard-coded secrets using commands like: grep -r 'secret' server/api/jwt-helper.js"}, {'type': 'list_item', 'content': 'Capture JWT tokens from network traffic (e.g., using tcpdump or Wireshark) and analyze them with JWT debugging tools to check if tokens can be forged.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test authentication bypass by crafting JWT tokens signed with the discovered secret.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately remove the hard-coded secret key from the server/api/jwt-helper.js file.
Replace the hard-coded secret with a securely generated secret key that is stored in a secure configuration or environment variable.
After updating the secret, invalidate all existing JWT tokens to prevent unauthorized access using previously forged tokens.
Update the FUXA application to the latest version if a patch addressing this issue is available.
Monitor your system for suspicious authentication attempts and consider resetting credentials for administrative accounts.