GHSA-2r8f-cf6w-x5vq

Source

https://github.com/advisories/GHSA-2r8f-cf6w-x5vq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2r8f-cf6w-x5vq/GHSA-2r8f-cf6w-x5vq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2r8f-cf6w-x5vq

Aliases

CVE-2025-69971

Published

2026-02-03T18:30:47Z

Modified

2026-02-04T19:41:17.081706Z

Severity

8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

FUXA contains a hard-coded credential vulnerability

Details

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

Database specific

{
    "nvd_published_at": "2026-02-03T18:16:17Z",
    "github_reviewed_at": "2026-02-04T19:22:50Z",
    "cwe_ids": [
        "CWE-798"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

npm / fuxa-server

Package

Name: fuxa-server; View open source insights on deps.dev
Purl: pkg:npm/fuxa-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.2.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2r8f-cf6w-x5vq/GHSA-2r8f-cf6w-x5vq.json"