During API security testing for a SaaS platform, ThreatRiX sent a malformed authentication request to /api/auth/refresh. The API returned a verbose error response that included the application's JWT signing secret in the response body.
With the signing secret exposed, an attacker could generate valid JWT tokens for any user ID — including admin accounts — without knowing any credentials. The secret was also hardcoded in the source, meaning rotation required a code deployment.
CVSS Score: 10.0 (Critical). Complete authentication bypass for the entire platform.
Immediate: JWT secret rotated, all existing tokens invalidated, forced re-authentication for all users. Medium-term: hardcoded secret removed and replaced with environment variable injected at deploy time. Long-term: secrets scanning (Gitleaks, TruffleHog) added to CI pipeline to prevent future hardcoded secrets from reaching production. ThreatRiX retested and confirmed clean.
Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.