← All case studies
SaaS

JWT Signing Secret Exposed in API Error Response

SeverityCRITICAL
IndustrySaaS
FindingHardcoded JWT signing secret returned in error response headers — complete token forgery for any user
MethodManual + automated penetration testing
OutcomeComplete authentication bypass — any attacker discovering this endpoint could access any user account including admin. No breach occurred. The secret was rotated within 2 hours of disclosure, environment variables replaced hardcoded secrets within 24 hours, and a secrets scanning step was added to the CI pipeline.
The finding
Hardcoded JWT signing secret returned in error response headers — complete token forgery for any user

Technical detail

During API security testing for a SaaS platform, ThreatRiX sent a malformed authentication request to /api/auth/refresh. The API returned a verbose error response that included the application's JWT signing secret in the response body.

With the signing secret exposed, an attacker could generate valid JWT tokens for any user ID — including admin accounts — without knowing any credentials. The secret was also hardcoded in the source, meaning rotation required a code deployment.

CVSS Score: 10.0 (Critical). Complete authentication bypass for the entire platform.

Business impact & resolution
Complete authentication bypass — any attacker discovering this endpoint could access any user account including admin. No breach occurred. The secret was rotated within 2 hours of disclosure, environment variables replaced hardcoded secrets within 24 hours, and a secrets scanning step was added to the CI pipeline.

Remediation

Immediate: JWT secret rotated, all existing tokens invalidated, forced re-authentication for all users. Medium-term: hardcoded secret removed and replaced with environment variable injected at deploy time. Long-term: secrets scanning (Gitleaks, TruffleHog) added to CI pipeline to prevent future hardcoded secrets from reaching production. ThreatRiX retested and confirmed clean.

Could this happen to your application?

Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.