Open5GS WebUI Hard-Coded JWT Signing Key Vulnerability

A vulnerability exists in the Open5GS WebUI component due to the use of a hard-coded JSON Web Token (JWT) signing key. This default key, 'change-me', is used whenever the environment variable JWT_SECRET_KEY is not set. As a result, deployments relying on the default key are vulnerable to token forgery, allowing unauthorized access to administrative features of the WebUI.

Impact

Exploitation of this vulnerability allows an attacker to forge valid JWTs using the default secret, 'change-me'. With these forged tokens, the attacker can gain administrative access to the Open5GS WebUI, including access to protected REST endpoints that manage sensitive data such as subscriber information and system configuration.

Reproduction

The vulnerability can be reproduced by deploying Open5GS WebUI without setting the JWT_SECRET_KEY environment variable. The WebUI will then use the default hard-coded key, 'change-me', for signing JWTs. This can be verified by checking the WebUI's authentication tokens, which will be valid despite being forged.

Remediation

Users should manually configure their Node.js environment to set the JWT_SECRET_KEY variable to a strong, randomly generated value. Additionally, a patch is available in Open5GS version 2.7.6 that removes the hard-coded defaults and allows for secure, randomized secrets to be used.