SYM_JSTS_0162 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Sensitive information is being included in the payload of a JWT token using jose.JWT.sign. This can accidentally expose secrets or personal data to anyone who has access to the token.
Impact
If exploited, attackers or unintended recipients could read confidential information (like passwords, API keys, or user data) from the JWT payload, leading to data leaks, account compromise, or further attacks against your application and users.