Description
GitHub incorrectly stated this vulnerability is identical to CVE-2025-69970, which describes the fact that authentication is disabled by default. This advisory describes an exploit chain that enables authentication bypass via the heartbeat refresh endpoint when authentication is enabled.
Recommendation
Update the fuxa-server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.2.9
- Patched version(s): 1.2.10
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- FUXA Unauthenticated Remote Code Execution in Node-RED Integration - CVE-2026-25938
- FUXA allows Remote Code Execution (RCE) via the project import functionality. - CVE-2025-69983
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 10, 2026