EUVD-2025-17816
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints.
Analysis
Critical authentication bypass vulnerability in ArchiverSpaApi ASP.NET applications caused by hard-coded JWT signing keys. An unauthenticated remote attacker can forge valid JWT tokens to bypass authentication and gain unauthorized access to protected API endpoints, potentially leading to data exfiltration, modification, or denial of service. The CVSS 8.1 score reflects high confidentiality, integrity, and availability impact, though the attack complexity is rated as high, suggesting some technical prerequisites.
Technical Context
ArchiverSpaApi is an ASP.NET web application that implements JWT (JSON Web Token) authentication for API endpoint protection. The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), where the application uses a static, non-random JWT signing key embedded in source code or configuration. JWT relies on asymmetric or symmetric cryptographic signing to ensure token authenticity and integrity. When the signing key is hard-coded and discoverable (through reverse engineering, source code exposure, or publicly documented), attackers can use standard JWT libraries to craft tokens with valid signatures that the application will trust. The ASP.NET framework's JWT validation middleware will accept these forged tokens if the signing key matches, completely bypassing role-based access control and authentication checks. CPE context indicates this affects ArchiverSpaApi deployments across ASP.NET platforms (likely CPE:2.3:a:*:archiverspaapi:*:*:*:*:*:asp.net:*:* or similar variants).
Affected Products
ArchiverSpaApi (all versions using hard-coded JWT keys); specific version ranges not disclosed in available data. Affected platforms: Microsoft ASP.NET and ASP.NET Core deployments running ArchiverSpaApi. No CPE string provided in source material, but likely affects: CPE:2.3:a:*:archiverspaapi:*:*:*:*:*:asp.net:*:* (generic representation). Affected configurations include: default installations with out-of-box JWT settings, deployments where configuration files containing the key were not rotated post-deployment, and any instance where the signing key was not replaced with environment-specific secrets management. Web-facing instances and those accessible over untrusted networks are at highest risk.
Remediation
IMMEDIATE: (1) Identify the hard-coded JWT signing key in ArchiverSpaApi source code, configuration files (appsettings.json, web.config), or compiled assemblies via decompilation. (2) Revoke all existing JWT tokens immediately (reduce token TTL or maintain a revocation list). (3) Generate a new, cryptographically random signing key (minimum 256 bits for HMAC-SHA256; 2048+ bits for RSA). (4) Deploy updated ArchiverSpaApi version with configurable JWT signing key sourced from secure credential store (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). (5) Implement environment-specific key rotation. WORKAROUNDS pending patch: Restrict network access to ArchiverSpaApi via firewall/WAF, implement IP whitelisting, disable JWT endpoints if not actively used, or run behind OAuth 2.0 proxy that validates tokens independently. SHORT-TERM: Monitor for token forgery attempts (abnormal claims, unexpected issuer/audience values). LONG-TERM: Implement JWKS (JSON Web Key Set) endpoints for key distribution and establish key rotation policies. Vendor advisories should be consulted at ArchiverSpaApi publisher's security page (specific URL not provided in source data).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today