Cyber Posture

CVE-2025-69985

CriticalPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0469 89.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT…

more

authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Mitigating Controls (NIST 800-53 r5)AI

IA-8 Identification and Authentication (Non-organizational Users) good match
prevent

Requires unique identification and authentication of non-organizational users, preventing remote unauthenticated attackers from bypassing JWT validation via spoofed Referer header.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to protected resources like the /api/runscript endpoint, countering the middleware's improper trust in the Referer header.

SI-2 Flaw Remediation good match
prevent

Directly identifies, reports, and corrects the flaw in server/api/jwt-helper.js that enables authentication bypass and subsequent RCE.

Security SummaryAI

CVE-2025-69985 is an authentication bypass vulnerability in FUXA versions 1.2.8 and prior, enabling remote code execution (RCE). The issue resides in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. By spoofing this header to match the server's host, attackers can bypass JSON Web Token (JWT) authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel). It was published on 2026-02-24.

A remote unauthenticated attacker can exploit this flaw over the network with low complexity and no privileges required. By crafting requests with a forged Referer header, the attacker bypasses authentication checks and gains access to the protected /api/runscript endpoint. This allows execution of arbitrary Node.js code on the server, potentially leading to full system compromise, data theft, or further lateral movement.

References include a GitHub Gist at https://gist.github.com/lihy10/8cb2dd65ebf1385f12a7e00e25a50d40, which appears to detail the vulnerability or proof-of-concept, and the source code of the affected jwt-helper.js file at https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js. No specific patch or mitigation details are outlined in the provided information.

Details

CWE(s)
CWE-288

Affected Products

frangoteam
fuxa
≤ 1.2.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application (T1190) that allows unauthenticated remote attackers to access a protected API endpoint for executing arbitrary Node.js code (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References