Key Information Vulnerability Name Hardcoded JWT Secret Vulnerability in Litemall (≤ v1.8.0) (CWE-798) Affected Versions Litemall versions ≤ v1.8.0 Vulnerability Location litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java Vulnerability Description The developer hard-coded the JWT secret key into the source code, making the key used to sign JSON Web Tokens (JWTs) predictable and static. Attackers can exploit this weakness to forge valid JWTs, thereby bypassing authentication and authorization checks, leading to privilege escalation and unauthorized access. Related Vulnerable Code Impact Forgery of JWT tokens to bypass authentication mechanisms Unauthorized access to protected resources and administrative functions Privilege escalation and potential full system compromise Root Cause Sensitive cryptographic keys (JWT secret) were directly hard-coded in the application source code, violating CWE-798: Use of Hard-coded Credentials. Remediation Recommendation Avoid embedding the JWT secret directly in the code. Instead, generate a strong and unpredictable JWT secret at runtime (e.g., in a static initialization block or from a secure configuration source) to mitigate attacks exploiting predictable keys.