SYM_JSTS_0035 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Hard-coded Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
The application's JWT secret key is hard-coded directly in the source code. Storing secrets this way makes them easy to accidentally expose if the code is leaked, shared, or uploaded to public repositories.
Impact
If an attacker obtains the hard-coded secret, they can forge or tamper with JWT tokens, potentially impersonating users or escalating privileges within your app. This can lead to unauthorized access, data breaches, and compromised application security.