SYM_JSTS_0029 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Hard-coded Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The code uses a hard-coded secret or key when creating or verifying JWTs. Storing secrets directly in source code makes them easy to discover, exposing them to anyone with code access.
Impact
If an attacker obtains the hard-coded secret, they could forge or tamper with JWT tokens, potentially gaining unauthorized access, impersonating users, or escalating privileges within your application.