Use of Hard-coded Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code uses a hard-coded key or secret for signing JWT tokens, embedding sensitive information directly in the source code. This exposes credentials to anyone with code access, increasing the risk of leaks.
Impact#
If an attacker gains access to the hard-coded key, they could forge or tamper with JWT tokens, bypass authentication, or gain unauthorized access to protected resources. This can lead to data breaches, privilege escalation, and compromise of user accounts or application integrity.