FUXA: Unauthenticated access to sensitive endpoint due to Referer header spoofing

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

FUXA: Unauthenticated access to sensitive endpoint due to Referer header spoofing

CVE-2025-69985 GHSA-4r4r-4jp4-wwf9

Summary

FUXA versions 1.2.8 and earlier have a security issue that lets a hacker gain access to a protected endpoint without needing a password. This could lead to the hacker running arbitrary code on the server. Users should update FUXA to the latest version to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
frangoteam	fuxa	<= 1.2.8	–

Original title

FUXA has JWT Authentication Bypass via HTTP Referer header spoofing

Original description

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

nvd CVSS3.1 9.8

Vulnerability type

CWE-288 Authentication Bypass Using Alternate Path

https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js Product
https://nvd.nist.gov/vuln/detail/CVE-2025-69985
https://github.com/advisories/GHSA-4r4r-4jp4-wwf9
https://gist.github.com/lihy10/8cb2dd65ebf1385f12a7e00e25a50d40 Exploit Third Party Advisory

Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026