Description
Server JWT signing secret was included in static assets and served to clients.
This ALLOWS Flood’s builtin authentication to be bypassed.
Recommendation
Update the flood package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.0.0, < 3.0.0
- Patched version(s): 3.0.0
References
Related Issues
- static-server Path Traversal vulnerability - CVE-2023-26152
- Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor - CVE-2026-43943
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- Gatsby develop server has Local File Inclusion vulnerability - CVE-2023-34238
You might also like:
- Tags:
- npm
- flood
Anything's wrong? Let us know Last updated on January 06, 2023


