CVE-2025-69971

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:frangoteam:fuxa:1.2.7:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-03 18:16

Updated : 2026-02-28 04:16

NVD link : CVE-2025-69971

Mitre link : CVE-2025-69971

CVE.ORG link : CVE-2025-69971

JSON object : View

Products Affected

frangoteam

fuxa

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-69971", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-02-03T18:16:17.370", "references": [{"url": "https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access."}, {"lang": "es", "value": "FUXA v1.2.7 contiene una vulnerabilidad de credenciales codificadas de forma r\u00edgida en server/api/jwt-helper.js. La aplicaci\u00f3n utiliza una clave secreta codificada de forma r\u00edgida para firmar y verificar tokens JWT. Esto permite a atacantes remotos forjar tokens de administrador v\u00e1lidos y eludir la autenticaci\u00f3n para obtener acceso administrativo completo."}], "lastModified": "2026-02-28T04:16:17.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frangoteam:fuxa:1.2.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15279E71-3228-4A7B-A8C0-510C2DDC9A50"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}