CVE-2025-69971

HIGH8.1EPSS 4.5%

FUXA has a hardcoded fallback JWT signing secret

Published: 2/3/2026Modified: 5/11/2026

Also known as:GHSA-2r8f-cf6w-x5vq GHSA-c8m8-3jcr-6rj5

Description

FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.

Affected packages (2)

npm/@frangoteam/fuxafrom 0, < 1.3.0
npm/fuxa-serverfrom 0, <= 1.2.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-69971
PATCHhttps://github.com/frangoteam/FUXA
WEBhttps://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js
WEBhttps://github.com/frangoteam/FUXA/security/advisories/GHSA-c8m8-3jcr-6rj5