Description
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP “Referer” header to validate internal requests.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.2.8
References
Related Issues
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649
- FUXA has a hardcoded fallback JWT signing secret - CVE-2025-69971
- LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header - CVE-2026-39411
You might also like:
- Tags:
- npm
- @frangoteam/fuxa
Anything's wrong? Let us know Last updated on February 26, 2026