CVE-2025-69971
FUXA has a hardcoded fallback JWT signing secret
8.1
HIGH
CVSS 3.1
EPSS 4.5%
Description
FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.
How to fix CVE-2025-69971
To remediate CVE-2025-69971, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.0 or later
- —no fix listed
Is CVE-2025-69971 being exploited?
Low — EPSS is 4.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.3.0
- from 0, <= 1.2.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |