GHSA-32cc-x95p-fxcg

Suggest an improvement
Source
https://github.com/advisories/GHSA-32cc-x95p-fxcg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-32cc-x95p-fxcg/GHSA-32cc-x95p-fxcg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-32cc-x95p-fxcg
Published
2026-02-05T00:36:30Z
Modified
2026-02-06T17:04:42.288116Z
Severity
  • 9.5 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
Details

Description

An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.

Impact

The FUXA documentation allows administrators to manually update a hardcoded JWT secret when enabling authentication. This feature was not available in the UI. This results in a fail-open security posture, where the application can report or appear to be operating in secureEnabled mode while still accepting tokens signed with a publicly known key.

Exploitation allows an unauthenticated, remote attacker to forge JWTs to bypass all authentication mechanisms and obtain administrative access to the FUXA instance. With these elevated privileges, the attacker can interact with administrative APIs, including intended features designed for automation and scripting, to execute arbitrary code in the context of the FUXA service. Depending on deployment configuration and permissions, this may lead to full system compromise and could further expose connected ICS/SCADA environments to follow-on actions.

Patches

This issue has been patched in FUXA version 1.2.10. Users are strongly encouraged to update to the latest available release.

Notes

GitHub stated this vulnerability is identical to CVE-2025-69971, which was published against the repository out of band before coordinated disclosure concluded. CVE-2025-69971 is directionally correct, but the description is inaccurate. Please refer to this advisory for the proper description and affected versions.

Database specific 
{
    "cwe_ids": [
        "CWE-1188",
        "CWE-321"
    ],
    "github_reviewed_at": "2026-02-05T00:36:30Z",
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

npm / fuxa-server

Package

Name
fuxa-server
View open source insights on deps.dev
Purl
pkg:npm/fuxa-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10

Database specific

last_known_affected_version_range 
"<= 1.2.9"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-32cc-x95p-fxcg/GHSA-32cc-x95p-fxcg.json"