Advisories for Npm/@Nocobase/Auth package

CVE-2025-13877 is an authentication bypass vulnerability caused by insecure default JWT key usage in NocoBase Docker deployments. Because the official one-click Docker deployment configuration historically provided a public default JWT key, attackers can forge valid JWT tokens without possessing any legitimate credentials. By constructing a token with a known userId (commonly the administrator account), an attacker can directly bypass authentication and authorization checks. Successful exploitation allows an attacker to: Bypass …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mv7p-34fv-4874. This link is maintained to preserve external references. Original Description A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A …