Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Sensitive information from objects is being directly included in JWT token payloads using jsonwebtoken.sign(). This can expose confidential data to anyone who receives or decodes the token.
Impact#
If exploited, attackers or users with the JWT can access sensitive data such as passwords, personal details, or credentials embedded in the token. This can lead to data leaks, account compromise, or unauthorized access to protected resources.