5.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-644f-hrff-mf96

GHSA-644f-hrff-mf96: Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-mv7p-34fv-4874. This link is maintained to preserve external references.

Original Description

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-644f-hrff-mf96

GHSA-644f-hrff-mf96:

5.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@nocobase/auth	npm	<= 1.9.21	1.9.23

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the use of a default, hardcoded JWT secret in NocoBase docker-compose deployments. The application's JwtService constructor would fall back to using the APP_KEY environment variable if no specific secret was provided. The default docker-compose.yml files provided by NocoBase used a weak, publicly known value for APP_KEY ('your-secret-key').

An attacker could leverage this knowledge to sign their own JWT tokens with the default secret, effectively bypassing authentication and gaining unauthorized access to the application. The patch addresses this by modifying the AuthManager to generate a strong, random, and persistent secret if one is not explicitly configured. This ensures that each installation uses a unique secret, preventing attackers from forging tokens.

Vulnerable functions

JwtService.constructor

packages/core/auth/src/base/jwt-service.ts

The constructor for `JwtService` was vulnerable because it used `process.env.APP_KEY` as a fallback for the JWT secret. In docker-compose deployments, `APP_KEY` was often set to a default, publicly known value ('your-secret-key'). This allowed an attacker to forge JWT tokens and bypass authentication.

AuthManager.constructor

packages/core/auth/src/auth-manager.ts

The `AuthManager` constructor was responsible for instantiating the `JwtService`. The vulnerable version of the constructor did not ensure a strong, unique secret was provided to `JwtService`, allowing it to fall back to the insecure default `APP_KEY` from the environment variables. The patch introduces a method to generate a secure, random key if no secret is configured.

JwtService.decode

packages/core/auth/src/base/jwt-service.ts

This function processes incoming JWTs to verify their authenticity. During an exploit, an attacker would send a forged token signed with the weak default key. This function would then use that same weak key to verify the token, leading to a successful authentication bypass. This function would appear in runtime profiles during an attack.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.6

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-644f-hrff-mf96: Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Duplicate Advisory

Original Description

GHSA-644f-hrff-mf96:

5.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

GHSA-644f-hrff-mf96: Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Duplicate Advisory

Original Description

5.6

5.6

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI