CVE-2021-27884

MEDIUM

YMFE YApi <1.9.2 - RCE

Title source: llm

Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

References (2)

[Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

[Third Party Advisory] https://github.com/YMFE/yapi/issues/2117

Scores

CVSS v3 5.1

EPSS 0.0006

EPSS Percentile 17.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-330

Status published

Products (2)

npm/yapi-vendor 0 - 1.9.3npm

ymfe/yapi < 1.9.2

Published Mar 01, 2021

Tracked Since Feb 18, 2026