Skip to content

Commit 462a763

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-644f-hrff-mf96 GHSA-mv7p-34fv-4874 GHSA-644f-hrff-mf96
1 parent 3291eca commit 462a763

File tree

3 files changed

+226
-50
lines changed

3 files changed

+226
-50
lines changed

advisories/github-reviewed/2025/12/GHSA-644f-hrff-mf96/GHSA-644f-hrff-mf96.json

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-644f-hrff-mf96",
4+
"modified": "2025-12-09T17:42:41Z",
5+
"published": "2025-12-02T18:30:35Z",
6+
"withdrawn": "2025-12-09T17:42:41Z",
7+
"aliases": [],
8+
"summary": "Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",
9+
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mv7p-34fv-4874. This link is maintained to preserve external references.\n\n## Original Description\nA vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\\packages\\core\\auth\\src\\base\\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key\n . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [
21+
{
22+
"package": {
23+
"ecosystem": "npm",
24+
"name": "@nocobase/auth"
25+
},
26+
"ranges": [
27+
{
28+
"type": "ECOSYSTEM",
29+
"events": [
30+
{
31+
"introduced": "0"
32+
},
33+
{
34+
"fixed": "1.9.23"
35+
}
36+
]
37+
}
38+
],
39+
"database_specific": {
40+
"last_known_affected_version_range": "<= 1.9.21"
41+
}
42+
}
43+
],
44+
"references": [
45+
{
46+
"type": "ADVISORY",
47+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13877"
48+
},
49+
{
50+
"type": "WEB",
51+
"url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
52+
},
53+
{
54+
"type": "WEB",
55+
"url": "https://vuldb.com/?ctiid.334033"
56+
},
57+
{
58+
"type": "WEB",
59+
"url": "https://vuldb.com/?id.334033"
60+
},
61+
{
62+
"type": "WEB",
63+
"url": "https://vuldb.com/?submit.692205"
64+
}
65+
],
66+
"database_specific": {
67+
"cwe_ids": [],
68+
"severity": "LOW",
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2025-12-09T17:42:41Z",
71+
"nvd_published_at": "2025-12-02T16:15:54Z"
72+
}
73+
}

advisories/github-reviewed/2025/12/GHSA-mv7p-34fv-4874/GHSA-mv7p-34fv-4874.json

Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,153 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mv7p-34fv-4874",
4+
"modified": "2025-12-09T17:42:53Z",
5+
"published": "2025-12-09T17:42:53Z",
6+
"aliases": [
7+
"CVE-2025-13877"
8+
],
9+
"summary": "Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",
10+
"details": "### Impact\n\nCVE-2025-13877 is an **authentication bypass vulnerability caused by insecure default JWT key usage** in NocoBase Docker deployments.\n\nBecause the official one-click Docker deployment configuration historically provided a **public default JWT key**, attackers can **forge valid JWT tokens without possessing any legitimate credentials**. By constructing a token with a known `userId` (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.\n\nSuccessful exploitation allows an attacker to:\n\n- Bypass authentication entirely\n- Impersonate arbitrary users\n- Gain full administrator privileges\n- Access sensitive business data\n- Create, modify, or delete users\n- Access cloud storage credentials and other protected secrets\n\nThe vulnerability is **remotely exploitable**, requires **no authentication**, and **public proof-of-concept exploits are available**. \nThis issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as **CVE-2024-43441** and **CVE-2025-30206**.\n\nDeployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.\n\n---\n\n### Patches\n\n✅ The vulnerability has been **fully patched** through a secure JWT key management redesign.\n\nThe remediation enforces the following security guarantees:\n\n- JWT secrets are no longer allowed to fall back to public default values.\n- Secrets must either:\n - Be explicitly provided by the user, or\n - Be securely generated using cryptographically strong randomness at first startup.\n- Generated secrets are persisted securely with restricted filesystem permissions.\n- Invalid or weak secret values immediately trigger a startup failure.\n\n✅ Fixed Versions:\n- **NocoBase ≥ 1.9.23**\n- **NocoBase ≥ 1.9.0-beta.18**\n- **NocoBase ≥ 2.0.0-alpha.52**\n\n---\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following temporary mitigations **must** be performed to reduce risk:\n\n1. Explicitly set a **strong, randomly generated JWT secret** via environment variables `APP_KEY`.\n2. **Restart all running NocoBase instances** so the new secret takes effect.\n3. **Invalidate all existing JWT sessions**, forcing complete user re-authentication.\n4. Verify that **no default secret values** are present in:\n - `docker-compose.yml`\n - `.env` files\n - Kubernetes Secrets\n\n---\n\n### References\n\n- **CVE Record:** CVE-2025-13877 \n- **VulDB Entry:** https://vuldb.com/?id.334033 \n- **Public Exploit Proof:** \n https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d \n\n- **Affected Default Docker Configurations:** \n - https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13 \n - https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13 \n - https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11 \n - https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11 \n\n- **Official Deployment Documentation:** \n - https://docs.nocobase.com/welcome/getting-started/installation/docker-compose \n - https://v2.docs.nocobase.com/get-started/installation/docker",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@nocobase/auth"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.9.0"
29+
},
30+
{
31+
"fixed": "1.9.23"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.9.21"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "npm",
43+
"name": "@nocobase/auth"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "1.9.0-beta.18"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 1.9.0-beta.17"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "npm",
65+
"name": "@nocobase/auth"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "2.0.0-alpha.1"
73+
},
74+
{
75+
"fixed": "2.0.0-alpha.52"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 2.0.0-alpha.51"
82+
}
83+
}
84+
],
85+
"references": [
86+
{
87+
"type": "WEB",
88+
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mv7p-34fv-4874"
89+
},
90+
{
91+
"type": "ADVISORY",
92+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13877"
93+
},
94+
{
95+
"type": "WEB",
96+
"url": "https://github.com/nocobase/nocobase/commit/de4292ea7847dd26c6306445091769f8b9ee96d5"
97+
},
98+
{
99+
"type": "WEB",
100+
"url": "https://docs.nocobase.com/welcome/getting-started/installation/docker-compose"
101+
},
102+
{
103+
"type": "WEB",
104+
"url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
105+
},
106+
{
107+
"type": "PACKAGE",
108+
"url": "https://github.com/nocobase/nocobase"
109+
},
110+
{
111+
"type": "WEB",
112+
"url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13"
113+
},
114+
{
115+
"type": "WEB",
116+
"url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13"
117+
},
118+
{
119+
"type": "WEB",
120+
"url": "https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11"
121+
},
122+
{
123+
"type": "WEB",
124+
"url": "https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11"
125+
},
126+
{
127+
"type": "WEB",
128+
"url": "https://v2.docs.nocobase.com/get-started/installation/docker"
129+
},
130+
{
131+
"type": "WEB",
132+
"url": "https://vuldb.com/?ctiid.334033"
133+
},
134+
{
135+
"type": "WEB",
136+
"url": "https://vuldb.com/?id.334033"
137+
},
138+
{
139+
"type": "WEB",
140+
"url": "https://vuldb.com/?submit.692205"
141+
}
142+
],
143+
"database_specific": {
144+
"cwe_ids": [
145+
"CWE-1320",
146+
"CWE-321"
147+
],
148+
"severity": "MODERATE",
149+
"github_reviewed": true,
150+
"github_reviewed_at": "2025-12-09T17:42:53Z",
151+
"nvd_published_at": null
152+
}
153+
}

advisories/unreviewed/2025/12/GHSA-644f-hrff-mf96/GHSA-644f-hrff-mf96.json

Lines changed: 0 additions & 50 deletions
This file was deleted.

0 commit comments

Comments
 (0)