Home > Vulnerability Database > WS-2020-0145

Mend.io Vulnerability Database

WS-2020-0145

Date: August 19, 2025

Server JWT signing secret was included in static assets and served to clients. This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface (which is unprotected and ALLOWS arbitrary code execution) and usually wide-ranging privileges to files, along with Flood's lack of security controls against authenticated users, the severity of this vulnerability is CRITICAL.

Language: JS

Severity Score

5.5

Related Resources (5)

Url: https://github.com/jesec/flood/commit/d137107ac908526d43966607149fbaf00cfcedf0

Url: https://github.com/jesec/flood/commit/103f53c8d2963584e41bcf46ccc6fe0fabf179ca

Url: https://github.com/jesec/flood

Url: https://github.com/jesec/flood/security/advisories/GHSA-r587-7jh2-4qr3

Url: https://www.mend.io/vulnerability-database/WS-2020-0145

Severity Score

5.5

Weakness Type (CWE)

Code

CWE-17

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2020-0145

Date: August 19, 2025

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?