CVE-2024-57432

CVE-2024-57432 is an insecure permissions vulnerability in macrozheng mall-tiny version 1.0.1. The issue stems from hardcoded JWT signing keys that remain unchanged across deployments. User information is explicitly embedded in the JWT payloads, which the application relies on for subsequent privilege management, enabling attackers to forge valid JWTs for arbitrary users and bypass authentication entirely. The vulnerability is classified under CWE-287 (Improper Authentication) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Any unauthenticated attacker with network access to the application can exploit this flaw due to its low attack complexity and lack of prerequisites. By obtaining the static signing key—potentially through source code review, decompilation, or public disclosure—attackers can craft JWTs impersonating any user, including administrators. This grants unauthorized access to sensitive user data and privileged functions, resulting in high confidentiality impact without affecting integrity or availability.

Mitigation guidance is available in the referenced advisory at https://github.com/peccc/restful_vul/blob/main/mall_tiny_weak_jwt/mall_tiny_weak_jwt.md, published alongside the CVE on 2025-01-31. Security practitioners should review it for patching instructions, key rotation recommendations, or configuration changes to secure JWT handling in mall-tiny deployments.