Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Medium

Description

User input is being used directly as an object property name with bracket notation (e.g., obj[userInput]), which can let attackers access or modify unexpected properties, including those on the object’s prototype. Always use fixed property names or validate user input before using it as a property key.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Sensitive information is being included in the payload of a JWT token using jose.JWT.sign. This can accidentally expose secrets or personal data to anyone who has access to the token.

Impact

If exploited, attackers or unintended recipients could read confidential information (like passwords, API keys, or user data) from the JWT payload, leading to data leaks, account compromise, or further attacks against your application and users.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

The code is using a hardcoded string as the secret or private key for JWT token generation. Storing secrets directly in code makes them easy to discover and exposes them to anyone with access to the codebase.

Impact

If an attacker obtains the hardcoded JWT secret, they can forge or modify tokens, impersonate users, and potentially gain unauthorized access to protected resources or sensitive data. This compromises application security and user accounts.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Storing a user’s password inside a JWT token exposes it in plaintext, as JWT payloads are not encrypted and can be easily read by anyone with access to the token. Passwords should never be included in JWTs.

Impact

If exploited, attackers who obtain a JWT can directly access user passwords, leading to account compromise, credential reuse attacks, and potential data breaches. This exposes both users and the organization to serious security and privacy risks.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Sensitive data is being included directly in the payload of a JWT token using jwt.encode(). Anyone with access to the token can decode it and view this information, since JWT payloads are only base64-encoded, not encrypted.

Impact

Exposing sensitive information such as passwords, credentials, or personal user data in JWTs can lead to data leaks and privacy breaches. Attackers or unauthorized parties could decode intercepted tokens and gain access to this confidential information, putting users and the application at risk.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code uses a hardcoded secret or private key when encoding or decoding JWTs, instead of securely managing secrets. Storing sensitive keys directly in code makes them easy to discover and compromise.

Impact

If an attacker gains access to the codebase, they can extract the JWT secret and forge or tamper with tokens, potentially impersonating users or gaining unauthorized access to protected resources. This can lead to data breaches and loss of trust in the application’s security.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code is storing user passwords inside the payload of JWT tokens. Since JWT payloads are only base64 encoded and not encrypted, anyone with access to the token can read the password.

Impact

If exploited, attackers who obtain a JWT token can easily extract and steal user passwords, leading to account compromises, unauthorized access, and broader security breaches across your system or other services where users reuse passwords.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Sensitive data is being directly included in the payload of a JWT token. This means confidential information can be exposed to anyone who receives or inspects the token, as JWT payloads are easily decoded.

Impact

If exploited, attackers or unauthorized users could access private details such as passwords, personal data, or internal identifiers from the JWT, leading to data leaks, privacy violations, or further attacks using the exposed information.

Property
Language
Severity
CWE	CWE-190: Integer Overflow or Wraparound
Confidence Level	High
Impact Level	Low
Likelihood Level	Low

Description

Using PHP’s base_convert() with large numbers (such as random tokens or hashes) can silently lose precision, resulting in incorrect or truncated values. This makes it unsuitable for securely handling session tokens, CSRF tokens, or cryptographic outputs.

Impact

If an attacker can predict or manipulate truncated tokens, they may be able to bypass authentication, hijack sessions, or defeat CSRF protections. This weakens the overall security of the application by making supposedly random or unique tokens easier to guess or reproduce.

Property
Language	solidity
Severity
CWE	CWE-191: Integer Underflow (Wrap or Wraparound)
Confidence Level	Low
Impact Level	High
Likelihood Level	Medium

Description

Possible arithmetic underflow