Common Weakness Enumeration

CWE-1320

Allowed

Improper Protection for Outbound Error Messages and Alert Signals

Abstraction: Base · Status: Draft

Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.

13 vulnerabilities reference this CWE, most recent first.

GHSA-MV7P-34FV-4874

Vulnerability from github – Published: 2025-12-09 17:42 – Updated: 2025-12-09 17:42
VLAI
Summary
Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments
Details

Impact

CVE-2025-13877 is an authentication bypass vulnerability caused by insecure default JWT key usage in NocoBase Docker deployments.

Because the official one-click Docker deployment configuration historically provided a public default JWT key, attackers can forge valid JWT tokens without possessing any legitimate credentials. By constructing a token with a known userId (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.

Successful exploitation allows an attacker to:

  • Bypass authentication entirely
  • Impersonate arbitrary users
  • Gain full administrator privileges
  • Access sensitive business data
  • Create, modify, or delete users
  • Access cloud storage credentials and other protected secrets

The vulnerability is remotely exploitable, requires no authentication, and public proof-of-concept exploits are available.
This issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as CVE-2024-43441 and CVE-2025-30206.

Deployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.


Patches

✅ The vulnerability has been fully patched through a secure JWT key management redesign.

The remediation enforces the following security guarantees:

  • JWT secrets are no longer allowed to fall back to public default values.
  • Secrets must either:
  • Be explicitly provided by the user, or
  • Be securely generated using cryptographically strong randomness at first startup.
  • Generated secrets are persisted securely with restricted filesystem permissions.
  • Invalid or weak secret values immediately trigger a startup failure.

✅ Fixed Versions: - NocoBase ≥ 1.9.23 - NocoBase ≥ 1.9.0-beta.18 - NocoBase ≥ 2.0.0-alpha.52


Workarounds

If upgrading is not immediately possible, the following temporary mitigations must be performed to reduce risk:

  1. Explicitly set a strong, randomly generated JWT secret via environment variables APP_KEY.
  2. Restart all running NocoBase instances so the new secret takes effect.
  3. Invalidate all existing JWT sessions, forcing complete user re-authentication.
  4. Verify that no default secret values are present in:
  5. docker-compose.yml
  6. .env files
  7. Kubernetes Secrets

References

  • CVE Record: CVE-2025-13877
  • VulDB Entry: https://vuldb.com/?id.334033
  • Public Exploit Proof:
    https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d

  • Affected Default Docker Configurations:

  • https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13
  • https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13
  • https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11
  • https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11

  • Official Deployment Documentation:

  • https://docs.nocobase.com/welcome/getting-started/installation/docker-compose
  • https://v2.docs.nocobase.com/get-started/installation/docker
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.0-beta.17"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0-beta.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-alpha.51"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha.1"
            },
            {
              "fixed": "2.0.0-alpha.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1320",
      "CWE-321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:42:53Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nCVE-2025-13877 is an **authentication bypass vulnerability caused by insecure default JWT key usage** in NocoBase Docker deployments.\n\nBecause the official one-click Docker deployment configuration historically provided a **public default JWT key**, attackers can **forge valid JWT tokens without possessing any legitimate credentials**. By constructing a token with a known `userId` (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.\n\nSuccessful exploitation allows an attacker to:\n\n- Bypass authentication entirely\n- Impersonate arbitrary users\n- Gain full administrator privileges\n- Access sensitive business data\n- Create, modify, or delete users\n- Access cloud storage credentials and other protected secrets\n\nThe vulnerability is **remotely exploitable**, requires **no authentication**, and **public proof-of-concept exploits are available**.  \nThis issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as **CVE-2024-43441** and **CVE-2025-30206**.\n\nDeployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.\n\n---\n\n### Patches\n\n\u2705 The vulnerability has been **fully patched** through a secure JWT key management redesign.\n\nThe remediation enforces the following security guarantees:\n\n- JWT secrets are no longer allowed to fall back to public default values.\n- Secrets must either:\n  - Be explicitly provided by the user, or\n  - Be securely generated using cryptographically strong randomness at first startup.\n- Generated secrets are persisted securely with restricted filesystem permissions.\n- Invalid or weak secret values immediately trigger a startup failure.\n\n\u2705 Fixed Versions:\n- **NocoBase \u2265 1.9.23**\n- **NocoBase \u2265 1.9.0-beta.18**\n- **NocoBase \u2265 2.0.0-alpha.52**\n\n---\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following temporary mitigations **must** be performed to reduce risk:\n\n1. Explicitly set a **strong, randomly generated JWT secret** via environment variables `APP_KEY`.\n2. **Restart all running NocoBase instances** so the new secret takes effect.\n3. **Invalidate all existing JWT sessions**, forcing complete user re-authentication.\n4. Verify that **no default secret values** are present in:\n   - `docker-compose.yml`\n   - `.env` files\n   - Kubernetes Secrets\n\n---\n\n### References\n\n- **CVE Record:** CVE-2025-13877  \n- **VulDB Entry:** https://vuldb.com/?id.334033  \n- **Public Exploit Proof:**  \n  https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d  \n\n- **Affected Default Docker Configurations:**  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11  \n  - https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11  \n\n- **Official Deployment Documentation:**  \n  - https://docs.nocobase.com/welcome/getting-started/installation/docker-compose  \n  - https://v2.docs.nocobase.com/get-started/installation/docker",
  "id": "GHSA-mv7p-34fv-4874",
  "modified": "2025-12-09T17:42:53Z",
  "published": "2025-12-09T17:42:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mv7p-34fv-4874"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/commit/de4292ea7847dd26c6306445091769f8b9ee96d5"
    },
    {
      "type": "WEB",
      "url": "https://docs.nocobase.com/welcome/getting-started/installation/docker-compose"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocobase/nocobase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11"
    },
    {
      "type": "WEB",
      "url": "https://v2.docs.nocobase.com/get-started/installation/docker"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.334033"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.334033"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.692205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments"
}

GHSA-RH6Q-6CXG-4782

Vulnerability from github – Published: 2023-12-01 15:31 – Updated: 2026-05-21 09:32
VLAI
Details

Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ArslanSoft Education Portal allows Account Footprinting.This issue affects Education Portal: before v1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1320"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-01T14:15:08Z",
    "severity": "HIGH"
  },
  "details": "Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ArslanSoft Education Portal allows Account Footprinting.This issue affects Education Portal: before v1.1.",
  "id": "GHSA-rh6q-6cxg-4782",
  "modified": "2026-05-21T09:32:07Z",
  "published": "2023-12-01T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5635"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0670"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0670"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPJC-6J27-M3GP

Vulnerability from github – Published: 2023-03-06 09:30 – Updated: 2026-06-01 15:30
VLAI
Details

Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ProMIS Process Co. InSCADA allows Account Footprinting.This issue affects inSCADA: before 20230115-1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1320"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-06T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ProMIS Process Co. InSCADA allows Account Footprinting.This issue affects inSCADA: before 20230115-1.",
  "id": "GHSA-rpjc-6j27-m3gp",
  "modified": "2026-06-01T15:30:29Z",
  "published": "2023-03-06T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0839"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0127"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Alert signals generated by critical events should be protected from access by untrusted agents. Only hardware or trusted firmware modules should be able to alter the alert configuration.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.