SYM_JSTS_0053 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The application uses express-jwt without configuring token revocation, meaning there is no way to invalidate JWTs if they are leaked or compromised. This allows any valid token to be reused indefinitely until it expires.
Impact
If a JWT is stolen or leaked, an attacker can continue to access protected resources using that token, even if the user is logged out or their account is disabled. This could lead to unauthorized access to sensitive data or functions, increasing the risk of account takeover or data breaches.