CVE-2024-57432
HIGHmacrozheng mall-tiny 1.0.1 - Authentication Bypass via Hardcoded JWT Signing Key
Title source: llmDescription
macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it is possible to forge the JWT of any user to achieve authentication bypass.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://github.com/peccc/restful_vul/blob/main/mall_tiny_weak_jwt/mall_tiny_weak_jwt.md
Scores
CVSS v3
7.5
EPSS
0.0049
EPSS Percentile
38.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (1)
macrozheng/mall-tiny
1.0.1
Published
Jan 31, 2025
Tracked Since
Feb 18, 2026