Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
FUXA has a hardcoded secret that can be used to fake authentication
GHSA-c8m8-3jcr-6rj5
Summary
A default secret in FUXA can be used by an attacker to create fake login tokens, potentially allowing unauthorized access. This issue has been fixed in version 1.3.0, but until then, it's essential to set a custom secret code for FUXA authentication.
What to do
- Update frangoteam @frangoteam/fuxa to version 1.3.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| frangoteam | @frangoteam/fuxa | <= 1.3.0 | 1.3.0 |
Original title
FUXA has a hardcoded fallback JWT signing secret
Original description
FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured.
If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.
This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.
If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.
This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.
osv CVSS3.1
8.1
Vulnerability type
CWE-321
Use of Hard-coded Cryptographic Key
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026