Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-13877

Good to know:

icon
icon
icon

Date: December 2, 2025

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity Score

Related Resources (15)

https://vuldb.com/?id.334033
https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11
https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13
https://github.com/nocobase/nocobase/security/advisories/GHSA-mv7p-34fv-4874
https://github.com/nocobase/nocobase/commit/de4292ea7847dd26c6306445091769f8b9ee96d5
https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d
https://docs.nocobase.com/welcome/getting-started/installation/docker-compose
https://vuldb.com/?submit.692205
https://v2.docs.nocobase.com/get-started/installation/docker
https://nvd.nist.gov/vuln/detail/CVE-2025-13877
https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11
https://github.com/nocobase/nocobase
https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13
https://vuldb.com/?ctiid.334033
https://www.mend.io/vulnerability-database/CVE-2025-13877

Severity Score

Weakness Type (CWE)

Key Management Errors

CWE-320

Use of Hard-coded Cryptographic Key

CWE-321

Improper Protection for Outbound Error Messages and Alert Signals

CWE-1320

Top Fix

icon

Upgrade Version

Upgrade to version @nocobase/auth - 1.9.0-beta.18;@nocobase/auth - 1.9.22;@nocobase/auth - 1.9.23;@nocobase/auth - 1.9.0-beta.18;@nocobase/auth - 2.0.0-alpha.52;https://github.com/nocobase/nocobase.git - v1.9.0-beta.18;https://github.com/nocobase/nocobase.git - v1.9.22

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): HIGH
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us