![[@frangoteam/fuxa] FUXA has a hardcoded fallback JWT signing secret](/assets/images/github_com_1773014665001.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[@frangoteam/fuxa] FUXA has a hardcoded fallback JWT signing secret
By GitHub2026๋
3์ 7์ผ
**[@frangoteam/fuxa] FUXA has a hardcoded fallback JWT signing secret**
FUXA used a static fallback JWT signing secret (frangoteam751) when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no secretCode is provided. References https://github.com/frangoteam/FUXA/security/advisories/GHSA-c8m8-3jcr-6rj5 https://github.com/advisories/GHSA-c8m8-3jcr-6rj5
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
FUXA used a static fallback JWT signing secret (frangoteam751) when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no secretCode is provided. References https://github.com/frangoteam/FUXA/security/advisories/GHSA-c8m8-3jcr-6rj5 https://github.com/advisories/GHSA-c8m8-3jcr-6rj5
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.