CVE-2025-13877: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

CVE-2025-13877 is an authentication bypass vulnerability caused by insecure default JWT key usage in NocoBase Docker deployments.

Because the official one-click Docker deployment configuration historically provided a public default JWT key, attackers can forge valid JWT tokens without possessing any legitimate credentials. By constructing a token with a known userId (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.

Successful exploitation allows an attacker to:

• Bypass authentication entirely
• Impersonate arbitrary users
• Gain full administrator privileges
• Access sensitive business data
• Create, modify, or delete users
• Access cloud storage credentials and other protected secrets

The vulnerability is remotely exploitable, requires no authentication, and public proof-of-concept exploits are available. This issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as CVE-2024-43441 and CVE-2025-30206.

Deployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.