GHSA-c8m8-3jcr-6rj5: FUXA has a hardcoded fallback JWT signing secret

March 7, 2026

FUXA used a static fallback JWT signing secret (frangoteam751) when no secretCode was configured.

If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.

This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no secretCode is provided.

References

github.com/advisories/GHSA-c8m8-3jcr-6rj5
github.com/frangoteam/FUXA
github.com/frangoteam/FUXA/security/advisories/GHSA-c8m8-3jcr-6rj5

Code Behaviors & Features

Detect and mitigate GHSA-c8m8-3jcr-6rj5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →