Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Sensitive information is being included in the payload of a JWT token using jose.JWT.sign. This can accidentally expose secrets or personal data to anyone who has access to the token.
Impact#
If exploited, attackers or unintended recipients could read confidential information (like passwords, API keys, or user data) from the JWT payload, leading to data leaks, account compromise, or further attacks against your application and users.