Description
FUXA used a static fallback JWT signing secret (frangoteam751) when no secretCode was configured.
If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.
This issue has been addressed in version 1.3.
Recommendation
Update the @frangoteam/fuxa package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.2.11
- Patched version(s): 1.3.0
References
Related Issues
- FUXA has JWT Authentication Bypass via HTTP Referer header spoofing - CVE-2025-69985
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - CVE-2025-27789
You might also like:
- Tags:
- npm
- @frangoteam/fuxa
Anything's wrong? Let us know Last updated on May 11, 2026