Reconnecting to live updates…

CVE-2025-13877: Use of Hard-coded Cryptographic Key in nocobase

Medium

VulnerabilityCVE-2025-13877cve cve-2025-13877

Published: Tue Dec 02 2025 (12/02/2025, 16:02:05 UTC)

Source: CVE Database V5

Product: nocobase

Description

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Technical Details

Data Version: 5.2
Assigner Short Name: VulDB
Date Reserved: 2025-12-02T09:44:50.654Z
Cvss Version: 4.0
State: PUBLISHED

Threat ID: 692f0ffa16d939a309ce6a2f

Added to database: 12/2/2025, 4:12:42 PM

Last updated: 12/2/2025, 4:13:20 PM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.