CVE-2025-69985

CRITICAL LAB

FUXA <=1.2.8 - Auth Bypass to RCE

Title source: llm

Description

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Exploits (3)

nomisec WORKING POC 1 stars

by joshuavanderpoll · poc

https://github.com/joshuavanderpoll/CVE-2025-69985

View Code ZIP pw:eip

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-69985

View Code ZIP pw:eip

nomisec WORKING POC

by tianarsamm · poc

https://github.com/tianarsamm/CVE-2025-69985

View Code ZIP pw:eip

References (2)

[Various Sources] https://gist.github.com/lihy10/8cb2dd65ebf1385f12a7e00e25a50d40

[Third Party Advisory] https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0064

EPSS Percentile 70.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

Lab screenshot

patched vulnerable

docker pull ghcr.io/exploitintel/cve-2025-69985-vulnerable:latest

All Labs GitHub

Classification

CWE

CWE-288

Status published

Affected Products (2)

frangoteam/fuxa npm

frangoteam/fuxa < 1.2.8

Timeline

Published Feb 24, 2026

Tracked Since Feb 24, 2026