EverShop at risk to unauthorized access via weak HMAC secret
Critical severity
GitHub Reviewed
Published
Jan 13, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Jan 13, 2024
Published to the GitHub Advisory Database
Jan 13, 2024
Reviewed
Jan 16, 2024
Last updated
Nov 18, 2024
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.
References