Clawvet
Monthly
Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.
Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.