CVE-2025-13877 identifies a cryptographic vulnerability in nocobase, an open-source low-code platform, specifically within its JWT Service implementation. The issue arises from the use of a hard-coded cryptographic key embedded in the source code (nocobase\packages\core\auth\src\base\jwt-service.ts), which is used for signing or verifying JSON Web Tokens (JWTs). Attackers can remotely exploit this flaw by manipulating the API_KEY argument, allowing them to potentially forge or tamper with JWT tokens. This undermines the authentication and authorization mechanisms relying on these tokens, risking unauthorized access or privilege escalation. The attack complexity is high, indicating that exploitation requires significant effort or conditions, and no user interaction or privileges are needed, making it a remote vulnerability. The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L) reflects network attack vector, high complexity, no privileges or user interaction, and low impact on confidentiality, integrity, and availability. The vendor has not responded to disclosure requests, and no official patches are available, though the exploit is publicly known. This vulnerability affects all nocobase versions up to 1.9.4 and all 2.0.0-alpha releases up to alpha.37, which are commonly used in web applications for rapid development and deployment of business logic and authentication services.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of authentication tokens, potentially allowing attackers to bypass authentication controls and access sensitive data or systems. This is particularly critical for sectors handling personal data under GDPR, financial institutions, healthcare providers, and government services relying on nocobase for identity management. The use of a hard-coded key means that once the key is known, all affected deployments using the default key are vulnerable until updated. This could lead to unauthorized data access, data manipulation, or service disruption. Although the impact on availability is low, the compromise of authentication tokens can lead to broader security breaches. The medium severity rating reflects the balance between the difficulty of exploitation and the potential damage. The lack of vendor response and patches increases the risk exposure time for organizations. Additionally, the public availability of exploit code raises the likelihood of opportunistic attacks targeting vulnerable European entities.

Organizations should immediately audit their nocobase deployments to identify affected versions. Since no official patch is available, administrators must manually replace the hard-coded cryptographic key with a securely generated, environment-specific secret stored outside the source code, such as in environment variables or secure vaults. Implement strict access controls on API endpoints to limit exposure. Monitor JWT token usage for anomalies, such as unexpected token issuances or invalid signatures. Employ network-level protections like Web Application Firewalls (WAFs) to detect and block suspicious requests targeting the JWT service. Consider isolating or segmenting systems running nocobase to reduce lateral movement risk. Stay alert for vendor updates or community patches and plan for timely upgrades once available. Finally, conduct security awareness training for developers and administrators emphasizing secure key management practices to prevent similar issues.