search
Active Boosts

#47741 [W&A-Insight] Missing JWT_SECRET in Env Allows Token Forgery via Empty Secret

Submitted on Jun 19th 2025 at 13:03:19 UTC by @adhd for IOP | Zano Tradearrow-up-right

  • Report ID: #47741

  • Report Type: Websites & Apps

  • Report severity: Insight

  • Target: https://github.com/PRavaga/zano-p2p/blob/master/api/controllers/auth.controller.ts

  • Impacts:

hashtag
Description

hashtag
Brief/Intro

The jwt.sign and jwt.verify uses process.env.JWT_SECRET || "" in the signing and verifying process in this if by any reason if JWT_SECRET is missing in the env of the project the code will automatically use the empty string as the secret which is a bad practice

hashtag
Vulnerability Details

If JWT_SECRET doesn't exists in the .env then the sign and verify will use empty string causing the token forgery

hashtag
Impact Details

Any user can create an valid signature if the JWT_SECRET is not presnet in the .env and call the verification wrt to the user

hashtag
Proof of Concept

hashtag
Proof of Concept

Here, you can see the use of ||, which should not be present.

Previous#47740 [W&A-Critical] Server-Side Request Forgery (SSRF) in `./src/pages/_app.tsx` via the Host headerNext#48436 [W&A-Critical] Dos is possible through the order creation api

Was this helpful?