Description
FUXA used a static fallback JWT signing secret (frangoteam751) when no secretCode was configured.
If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.
This issue has been addressed in version 1.3.
Recommendation
Update the @frangoteam/fuxa package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.2.11
- Patched version(s): 1.3.0
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- FUXA has JWT Authentication Bypass via HTTP Referer header spoofing - CVE-2025-69985
- A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA - CVE-2023-33831
- liquidjs has a path traversal fallback vulnerability - CVE-2026-30952
- Tags:
- npm
- @frangoteam/fuxa
Anything's wrong? Let us know Last updated on March 07, 2026