Description
Server JWT signing secret was included in static assets and served to clients.
This ALLOWS Flood’s builtin authentication to be bypassed.
Recommendation
Update the flood package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.0.0, < 3.0.0
- Patched version(s): 3.0.0
References
Related Issues
- LobeHub Vulnerable to Improper Authorization in Presigned Upload - CVE-2026-23835
- ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay - CVE-2025-68113
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- Trix allows Cross-site Scripting via `javascript:` url in a link - CVE-2025-21610
- Tags:
- npm
- flood
Anything's wrong? Let us know Last updated on January 06, 2023