Vulnerability-Lookup

CVE-2025-13877 (GCVE-0-2025-13877)

Vulnerability from cvelistv5 – Published: 2025-12-02 16:02 – Updated: 2025-12-02 16:18

Title

nocobase JWT Service jwt-service.ts hard-coded key

Summary

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

5.6 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

CWE

CWE-321 - Use of Hard-coded Cryptographic Key
CWE-320 - Key Management Error

Assigner

VulDB

References

4 references

URL	Tags
https://vuldb.com/?id.334033	vdb-entrytechnical-description
https://vuldb.com/?ctiid.334033	signaturepermissions-required
https://vuldb.com/?submit.692205	third-party-advisory
https://gist.github.com/H2u8s/f3ede60d7ecfe598ae4…	exploit

Impacted products

1 product

Vendor	Product	Version
n/a	nocobase	Affected: 1.9.0 Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 2.0.0-alpha.0 Affected: 2.0.0-alpha.1 Affected: 2.0.0-alpha.2 Affected: 2.0.0-alpha.3 Affected: 2.0.0-alpha.4 Affected: 2.0.0-alpha.5 Affected: 2.0.0-alpha.6 Affected: 2.0.0-alpha.7 Affected: 2.0.0-alpha.8 Affected: 2.0.0-alpha.9 Affected: 2.0.0-alpha.10 Affected: 2.0.0-alpha.11 Affected: 2.0.0-alpha.12 Affected: 2.0.0-alpha.13 Affected: 2.0.0-alpha.14 Affected: 2.0.0-alpha.15 Affected: 2.0.0-alpha.16 Affected: 2.0.0-alpha.17 Affected: 2.0.0-alpha.18 Affected: 2.0.0-alpha.19 Affected: 2.0.0-alpha.20 Affected: 2.0.0-alpha.21 Affected: 2.0.0-alpha.22 Affected: 2.0.0-alpha.23 Affected: 2.0.0-alpha.24 Affected: 2.0.0-alpha.25 Affected: 2.0.0-alpha.26 Affected: 2.0.0-alpha.27 Affected: 2.0.0-alpha.28 Affected: 2.0.0-alpha.29 Affected: 2.0.0-alpha.30 Affected: 2.0.0-alpha.31 Affected: 2.0.0-alpha.32 Affected: 2.0.0-alpha.33 Affected: 2.0.0-alpha.34 Affected: 2.0.0-alpha.35 Affected: 2.0.0-alpha.36 Affected: 2.0.0-alpha.37

Credits

28Hus (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13877",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T16:16:15.434340Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T16:18:30.865Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "JWT Service"
          ],
          "product": "nocobase",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "1.9.0"
            },
            {
              "status": "affected",
              "version": "1.9.1"
            },
            {
              "status": "affected",
              "version": "1.9.2"
            },
            {
              "status": "affected",
              "version": "1.9.3"
            },
            {
              "status": "affected",
              "version": "1.9.4"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.0"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.1"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.2"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.3"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.4"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.5"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.6"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.7"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.8"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.9"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.10"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.11"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.12"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.13"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.14"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.15"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.16"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.17"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.18"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.19"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.20"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.21"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.22"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.23"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.24"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.25"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.26"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.27"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.28"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.29"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.30"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.31"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.32"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.33"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.34"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.35"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.36"
            },
            {
              "status": "affected",
              "version": "2.0.0-alpha.37"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "28Hus (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\\packages\\core\\auth\\src\\base\\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key\r . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.1,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-320",
              "description": "Key Management Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-02T16:02:05.857Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-334033 | nocobase JWT Service jwt-service.ts hard-coded key",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.334033"
        },
        {
          "name": "VDB-334033 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.334033"
        },
        {
          "name": "Submit #692205 | https://github.com/nocobase https://github.com/nocobase/nocobase Latest Authorization Bypass",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.692205"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-02T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-12-02T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-12-02T10:50:07.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "nocobase JWT Service jwt-service.ts hard-coded key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-13877",
    "datePublished": "2025-12-02T16:02:05.857Z",
    "dateReserved": "2025-12-02T09:44:50.654Z",
    "dateUpdated": "2025-12-02T16:18:30.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-13877",
      "date": "2026-05-25",
      "epss": "0.0005",
      "percentile": "0.15674"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-13877\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-12-02T16:15:54.310\",\"lastModified\":\"2026-04-29T01:00:01.613\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\\\\packages\\\\core\\\\auth\\\\src\\\\base\\\\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key\\r . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.9,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"baseScore\":5.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-320\"},{\"lang\":\"en\",\"value\":\"CWE-321\"}]}],\"references\":[{\"url\":\"https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.334033\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.334033\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.692205\",\"source\":\"cna@vuldb.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13877\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-02T16:16:15.434340Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-02T16:18:25.800Z\"}}], \"cna\": {\"title\": \"nocobase JWT Service jwt-service.ts hard-coded key\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"28Hus (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.6, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.6, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 5.1, \"vectorString\": \"AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"n/a\", \"modules\": [\"JWT Service\"], \"product\": \"nocobase\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.9.0\"}, {\"status\": \"affected\", \"version\": \"1.9.1\"}, {\"status\": \"affected\", \"version\": \"1.9.2\"}, {\"status\": \"affected\", \"version\": \"1.9.3\"}, {\"status\": \"affected\", \"version\": \"1.9.4\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.0\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.1\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.2\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.3\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.4\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.5\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.6\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.7\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.8\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.9\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.10\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.11\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.12\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.13\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.14\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.15\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.16\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.17\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.18\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.19\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.20\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.21\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.22\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.23\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.24\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.25\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.26\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.27\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.28\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.29\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.30\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.31\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.32\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.33\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.34\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.35\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.36\"}, {\"status\": \"affected\", \"version\": \"2.0.0-alpha.37\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-02T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-12-02T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-12-02T10:50:07.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.334033\", \"name\": \"VDB-334033 | nocobase JWT Service jwt-service.ts hard-coded key\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.334033\", \"name\": \"VDB-334033 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.692205\", \"name\": \"Submit #692205 | https://github.com/nocobase https://github.com/nocobase/nocobase Latest Authorization Bypass\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d\", \"tags\": [\"exploit\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\\\\packages\\\\core\\\\auth\\\\src\\\\base\\\\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key\\r . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-321\", \"description\": \"Use of Hard-coded Cryptographic Key\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-320\", \"description\": \"Key Management Error\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-12-02T16:02:05.857Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-13877\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-02T16:18:30.865Z\", \"dateReserved\": \"2025-12-02T09:44:50.654Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-12-02T16:02:05.857Z\", \"assignerShortName\": \"VulDB\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-13877

Vulnerability from fkie_nvd - Published: 2025-12-02 16:15 - Updated: 2026-04-29 01:00

Severity

5.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	cna@vuldb.com	https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d
	cna@vuldb.com	https://vuldb.com/?ctiid.334033
	cna@vuldb.com	https://vuldb.com/?id.334033
	cna@vuldb.com	https://vuldb.com/?submit.692205

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\\packages\\core\\auth\\src\\base\\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key\r . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
    }
  ],
  "id": "CVE-2025-13877",
  "lastModified": "2026-04-29T01:00:01.613",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "cna@vuldb.com",
        "type": "Secondary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.4,
        "source": "cna@vuldb.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.9,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@vuldb.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-02T16:15:54.310",
  "references": [
    {
      "source": "cna@vuldb.com",
      "url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?ctiid.334033"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?id.334033"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?submit.692205"
    }
  ],
  "sourceIdentifier": "cna@vuldb.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-320"
        },
        {
          "lang": "en",
          "value": "CWE-321"
        }
      ],
      "source": "cna@vuldb.com",
      "type": "Secondary"
    }
  ]
}

GHSA-MV7P-34FV-4874

Vulnerability from github – Published: 2025-12-09 17:42 – Updated: 2025-12-09 17:42

Summary

Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Details

Impact

CVE-2025-13877 is an authentication bypass vulnerability caused by insecure default JWT key usage in NocoBase Docker deployments.

Because the official one-click Docker deployment configuration historically provided a public default JWT key, attackers can forge valid JWT tokens without possessing any legitimate credentials. By constructing a token with a known userId (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.

Successful exploitation allows an attacker to:

Bypass authentication entirely
Impersonate arbitrary users
Gain full administrator privileges
Access sensitive business data
Create, modify, or delete users
Access cloud storage credentials and other protected secrets

The vulnerability is remotely exploitable, requires no authentication, and public proof-of-concept exploits are available.
This issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as CVE-2024-43441 and CVE-2025-30206.

Deployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.

Patches

✅ The vulnerability has been fully patched through a secure JWT key management redesign.

The remediation enforces the following security guarantees:

JWT secrets are no longer allowed to fall back to public default values.
Secrets must either:
Be explicitly provided by the user, or
Be securely generated using cryptographically strong randomness at first startup.
Generated secrets are persisted securely with restricted filesystem permissions.
Invalid or weak secret values immediately trigger a startup failure.

✅ Fixed Versions: - NocoBase ≥ 1.9.23 - NocoBase ≥ 1.9.0-beta.18 - NocoBase ≥ 2.0.0-alpha.52

Workarounds

If upgrading is not immediately possible, the following temporary mitigations must be performed to reduce risk:

Explicitly set a strong, randomly generated JWT secret via environment variables APP_KEY.
Restart all running NocoBase instances so the new secret takes effect.
Invalidate all existing JWT sessions, forcing complete user re-authentication.
Verify that no default secret values are present in:
docker-compose.yml
.env files
Kubernetes Secrets

References

CVE Record: CVE-2025-13877
VulDB Entry: https://vuldb.com/?id.334033
Public Exploit Proof:
https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d
Affected Default Docker Configurations:
https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13
https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13
https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11
https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11
Official Deployment Documentation:
https://docs.nocobase.com/welcome/getting-started/installation/docker-compose
https://v2.docs.nocobase.com/get-started/installation/docker

Severity

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.0-beta.17"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0-beta.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-alpha.51"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha.1"
            },
            {
              "fixed": "2.0.0-alpha.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1320",
      "CWE-321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:42:53Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nCVE-2025-13877 is an **authentication bypass vulnerability caused by insecure default JWT key usage** in NocoBase Docker deployments.\n\nBecause the official one-click Docker deployment configuration historically provided a **public default JWT key**, attackers can **forge valid JWT tokens without possessing any legitimate credentials**. By constructing a token with a known `userId` (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.\n\nSuccessful exploitation allows an attacker to:\n\n- Bypass authentication entirely\n- Impersonate arbitrary users\n- Gain full administrator privileges\n- Access sensitive business data\n- Create, modify, or delete users\n- Access cloud storage credentials and other protected secrets\n\nThe vulnerability is **remotely exploitable**, requires **no authentication**, and **public proof-of-concept exploits are available**.  \nThis issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as **CVE-2024-43441** and **CVE-2025-30206**.\n\nDeployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.\n\n---\n\n### Patches\n\n\u2705 The vulnerability has been **fully patched** through a secure JWT key management redesign.\n\nThe remediation enforces the following security guarantees:\n\n- JWT secrets are no longer allowed to fall back to public default values.\n- Secrets must either:\n  - Be explicitly provided by the user, or\n  - Be securely generated using cryptographically strong randomness at first startup.\n- Generated secrets are persisted securely with restricted filesystem permissions.\n- Invalid or weak secret values immediately trigger a startup failure.\n\n\u2705 Fixed Versions:\n- **NocoBase \u2265 1.9.23**\n- **NocoBase \u2265 1.9.0-beta.18**\n- **NocoBase \u2265 2.0.0-alpha.52**\n\n---\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following temporary mitigations **must** be performed to reduce risk:\n\n1. Explicitly set a **strong, randomly generated JWT secret** via environment variables `APP_KEY`.\n2. **Restart all running NocoBase instances** so the new secret takes effect.\n3. **Invalidate all existing JWT sessions**, forcing complete user re-authentication.\n4. Verify that **no default secret values** are present in:\n   - `docker-compose.yml`\n   - `.env` files\n   - Kubernetes Secrets\n\n---\n\n### References\n\n- **CVE Record:** CVE-2025-13877  \n- **VulDB Entry:** https://vuldb.com/?id.334033  \n- **Public Exploit Proof:**  \n  https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d  \n\n- **Affected Default Docker Configurations:**  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11  \n\n- **Official Deployment Documentation:**  \n  - https://docs.nocobase.com/welcome/getting-started/installation/docker-compose  \n  - https://v2.docs.nocobase.com/get-started/installation/docker",
  "id": "GHSA-mv7p-34fv-4874",
  "modified": "2025-12-09T17:42:53Z",
  "published": "2025-12-09T17:42:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mv7p-34fv-4874"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/commit/de4292ea7847dd26c6306445091769f8b9ee96d5"
    },
    {
      "type": "WEB",
      "url": "https://docs.nocobase.com/welcome/getting-started/installation/docker-compose"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocobase/nocobase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11"
    },
    {
      "type": "WEB",
      "url": "https://v2.docs.nocobase.com/get-started/installation/docker"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.334033"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.334033"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.692205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-13877 (GCVE-0-2025-13877)

FKIE_CVE-2025-13877

GHSA-MV7P-34FV-4874

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature