macrozheng Mall-Tiny Insecure Permissions Vulnerability Allowing JWT Forgery and Authentication Bypass

Vulnerability

A vulnerability exists in macrozheng mall-tiny version 1.0.1 due to insecure permissions related to JSON Web Token (JWT) handling. The application hardcodes JWT signing keys, which remain static, and embeds user information directly into the JWT. This information is subsequently used for privilege management. As a result, it is possible to forge JWTs for any user, bypassing authentication mechanisms.

Impact

Exploitation of this vulnerability allows for authentication bypass by forging JWTs, which can lead to unauthorized access and privilege escalation within the application.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

macrozheng Mall-Tiny Insecure Permissions Vulnerability Allowing JWT Forgery and Authentication Bypass

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating