Primary

Context

Ever Gauzy JWT Authentication Vulnerability Due to Weak HMAC Secret

Vulnerability

A vulnerability in Ever Gauzy version 0.281.9 allows for exploitation of JWT authentication by taking advantage of a weak HMAC secret key implementation. This vulnerability enables attackers to intercept JWT tokens, which can then be used to authenticate and gain unauthorized administrative access. The issue arises from the application using a predictable HMAC secret key for signing JWTs, which can be exploited to forge tokens and impersonate users with elevated privileges.

Impact

Exploitation of this vulnerability allows for unauthorized authentication and access to administrative privileges within the application.

Reproduction

To reproduce this vulnerability, log into the application and send a request to the authentication endpoint. The response will include a JWT token in the 'Authorization' header. This token can be intercepted and used to authenticate as an admin user.

Added: Dec 19, 2025, 9:24 PM

Updated: Dec 19, 2025, 9:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.6

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.6

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ever Gauzy JWT Authentication Vulnerability Due to Weak HMAC Secret

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating