CVE-2026-45091
CRITICAL9.1EPSS 0.01%sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
Description
In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. An attacker with (a) the master key (e.g. from a separate compromise such as a leaked CI secret) and (b) any single leaked unseal token can use the extracted TOTP secret to mint new valid unseal tokens for any future deploy indefinitely, breaking the second-factor property the library claimed. Patched in 0.1.0-alpha.4 by replacing the embedded secret with a salt-bound HMAC derivative (`enterprise_epoch = HMAC(totpSecret, salt || "epoch-v1")`). The TOTP secret never leaves the operator's machine in the new design. The wire format change is incompatible — files sealed by affected versions must be re-sealed and the TOTP secret rotated. Full migration playbook in CHANGELOG.md. Reported by an external reviewer who decoded the payload of a real minted token and confirmed bit-for-bit equality with the operator's .env.local TOTP secret.
Affected packages (2)
- Maven/io.github.davidalmeidac:sealed-env-corefrom 0, < 0.1.0-alpha.4
- npm/sealed-envfrom 0, < 0.1.0-alpha.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |