GHSA-MV7P-34FV-4874

Vulnerability from github – Published: 2025-12-09 17:42 – Updated: 2025-12-09 17:42
VLAI
Summary
Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments
Details

Impact

CVE-2025-13877 is an authentication bypass vulnerability caused by insecure default JWT key usage in NocoBase Docker deployments.

Because the official one-click Docker deployment configuration historically provided a public default JWT key, attackers can forge valid JWT tokens without possessing any legitimate credentials. By constructing a token with a known userId (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.

Successful exploitation allows an attacker to:

  • Bypass authentication entirely
  • Impersonate arbitrary users
  • Gain full administrator privileges
  • Access sensitive business data
  • Create, modify, or delete users
  • Access cloud storage credentials and other protected secrets

The vulnerability is remotely exploitable, requires no authentication, and public proof-of-concept exploits are available.
This issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as CVE-2024-43441 and CVE-2025-30206.

Deployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.

Patches

✅ The vulnerability has been fully patched through a secure JWT key management redesign.

The remediation enforces the following security guarantees:

  • JWT secrets are no longer allowed to fall back to public default values.
  • Secrets must either:
  • Be explicitly provided by the user, or
  • Be securely generated using cryptographically strong randomness at first startup.
  • Generated secrets are persisted securely with restricted filesystem permissions.
  • Invalid or weak secret values immediately trigger a startup failure.

✅ Fixed Versions: - NocoBase ≥ 1.9.23 - NocoBase ≥ 1.9.0-beta.18 - NocoBase ≥ 2.0.0-alpha.52

Workarounds

If upgrading is not immediately possible, the following temporary mitigations must be performed to reduce risk:

  1. Explicitly set a strong, randomly generated JWT secret via environment variables APP_KEY.
  2. Restart all running NocoBase instances so the new secret takes effect.
  3. Invalidate all existing JWT sessions, forcing complete user re-authentication.
  4. Verify that no default secret values are present in:
  5. docker-compose.yml
  6. .env files
  7. Kubernetes Secrets

References

  • CVE Record: CVE-2025-13877
  • VulDB Entry: https://vuldb.com/?id.334033

  • Public Exploit Proof:
    https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d

  • Affected Default Docker Configurations:

  • https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13
  • https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13
  • https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11

  • https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11

  • Official Deployment Documentation:

  • https://docs.nocobase.com/welcome/getting-started/installation/docker-compose
  • https://v2.docs.nocobase.com/get-started/installation/docker
Severity
6.3 (Medium)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.0-beta.17"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0-beta.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-alpha.51"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha.1"
            },
            {
              "fixed": "2.0.0-alpha.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1320",
      "CWE-321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:42:53Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nCVE-2025-13877 is an **authentication bypass vulnerability caused by insecure default JWT key usage** in NocoBase Docker deployments.\n\nBecause the official one-click Docker deployment configuration historically provided a **public default JWT key**, attackers can **forge valid JWT tokens without possessing any legitimate credentials**. By constructing a token with a known `userId` (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.\n\nSuccessful exploitation allows an attacker to:\n\n- Bypass authentication entirely\n- Impersonate arbitrary users\n- Gain full administrator privileges\n- Access sensitive business data\n- Create, modify, or delete users\n- Access cloud storage credentials and other protected secrets\n\nThe vulnerability is **remotely exploitable**, requires **no authentication**, and **public proof-of-concept exploits are available**.  \nThis issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as **CVE-2024-43441** and **CVE-2025-30206**.\n\nDeployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.\n\n---\n\n### Patches\n\n\u2705 The vulnerability has been **fully patched** through a secure JWT key management redesign.\n\nThe remediation enforces the following security guarantees:\n\n- JWT secrets are no longer allowed to fall back to public default values.\n- Secrets must either:\n  - Be explicitly provided by the user, or\n  - Be securely generated using cryptographically strong randomness at first startup.\n- Generated secrets are persisted securely with restricted filesystem permissions.\n- Invalid or weak secret values immediately trigger a startup failure.\n\n\u2705 Fixed Versions:\n- **NocoBase \u2265 1.9.23**\n- **NocoBase \u2265 1.9.0-beta.18**\n- **NocoBase \u2265 2.0.0-alpha.52**\n\n---\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following temporary mitigations **must** be performed to reduce risk:\n\n1. Explicitly set a **strong, randomly generated JWT secret** via environment variables `APP_KEY`.\n2. **Restart all running NocoBase instances** so the new secret takes effect.\n3. **Invalidate all existing JWT sessions**, forcing complete user re-authentication.\n4. Verify that **no default secret values** are present in:\n   - `docker-compose.yml`\n   - `.env` files\n   - Kubernetes Secrets\n\n---\n\n### References\n\n- **CVE Record:** CVE-2025-13877  \n- **VulDB Entry:** https://vuldb.com/?id.334033  \n- **Public Exploit Proof:**  \n  https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d  \n\n- **Affected Default Docker Configurations:**  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11  \n\n- **Official Deployment Documentation:**  \n  - https://docs.nocobase.com/welcome/getting-started/installation/docker-compose  \n  - https://v2.docs.nocobase.com/get-started/installation/docker",
  "id": "GHSA-mv7p-34fv-4874",
  "modified": "2025-12-09T17:42:53Z",
  "published": "2025-12-09T17:42:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mv7p-34fv-4874"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/commit/de4292ea7847dd26c6306445091769f8b9ee96d5"
    },
    {
      "type": "WEB",
      "url": "https://docs.nocobase.com/welcome/getting-started/installation/docker-compose"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocobase/nocobase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11"
    },
    {
      "type": "WEB",
      "url": "https://v2.docs.nocobase.com/get-started/installation/docker"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.334033"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.334033"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.692205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.