sealed-env TOTP Secret Exposure Vulnerability in JWS Payload

A vulnerability in the sealed-env library, affecting versions 0.1.0-alpha.1 through 0.1.0-alpha.3, allows the operator's TOTP secret to be embedded in the JWS payload of unseal tokens. This payload, which is base64-encoded JSON and not encrypted, could be decoded by any party observing the token. The vulnerability arises in enterprise mode, where the exposed TOTP secret could be extracted and used to mint new unseal tokens, undermining the library's claimed second-factor authentication. The issue has been patched in version 0.1.0-alpha.4 by replacing the embedded secret with a salt-bound HMAC derivative, ensuring that the TOTP secret never leaves the operator's machine.

Impact

Exploitation of this vulnerability allows for the extraction of the TOTP secret from the JWS payload of unseal tokens, which could then be used to mint new valid unseal tokens, bypassing the library's second-factor authentication.

Remediation

Users should upgrade to sealed-env version 0.1.0-alpha.4 or later. Files sealed by affected versions must be re-sealed and the TOTP secret rotated. A full migration playbook is available in the CHANGELOG.md.