Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code uses a hardcoded secret or private key for signing JWTs, storing sensitive credentials directly in the source code. This makes it easy for attackers to discover and misuse these secrets if the code is exposed.
Impact#
If exploited, an attacker could forge or tamper with JWT tokens, potentially gaining unauthorized access to user accounts or protected resources. Hardcoded secrets also increase the risk of credential leaks, especially if the code is shared or stored in version control.