Use of Hard-coded Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code uses a hard-coded secret or key when creating or verifying JWTs. Storing secrets directly in source code makes them easy to discover, exposing them to anyone with code access.
Impact#
If an attacker obtains the hard-coded secret, they could forge or tamper with JWT tokens, potentially gaining unauthorized access, impersonating users, or escalating privileges within your application.