The vulnerability stems from hardcoded HMAC secret usage in JWT operations. The commit diff shows removal of JWT-related functions and migration to session authentication. The deleted getTokenSecret.js explicitly returns 'secret', while generateToken.js and verification middleware would have used this insecure secret. These functions were present in vulnerable versions <1.0.0-rc.9 and removed in the patch, directly enabling HMAC secret predictability.