Hardcoded JWT Secret Vulnerability in Litemall (≤ v1.8.0) (CWE-798)

[ez-lbz]

Hardcoded JWT Secret Vulnerability in Litemall (≤ v1.8.0) (CWE-798)

Summary

A hardcoded JWT secret vulnerability exists in Litemall versions ≤ 1.8.0. The issue is located in:

litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java

The developers hardcoded the JWT secret directly into the source code, resulting in a predictable and static key for signing JSON Web Tokens (JWTs). This weakness enables attackers to forge valid JWTs, potentially leading to privilege escalation and unauthorized access.

---

Details

The JWT secret key, which is used to sign and verify tokens, is hardcoded in the application. An attacker with access to the codebase or who obtains the binary (e.g., via decompilation) can easily retrieve the secret key. With the known key, the attacker can craft valid tokens with arbitrary claims, bypassing authentication and authorization checks.

Relevant vulnerable code:

// 秘钥
	static final String SECRET = "X-Litemall-Token";
	// 签名是有谁生成
	static final String ISSUSER = "LITEMALL";
	// 签名的主题
	static final String SUBJECT = "this is litemall token";
	// 签名的观众
	static final String AUDIENCE = "MINIAPP";

---

Impact

Exploitation of this vulnerability can result in:

• Forging of JWT tokens, bypassing authentication mechanisms

• Unauthorized access to protected resources and administrative functions

• Privilege escalation and potential full system compromise

---

Root Cause

The root cause of the vulnerability is the insecure practice of hardcoding sensitive cryptographic keys (JWT secret) directly in the application source code, violating CWE-798: Use of Hard-coded Credentials.

---

Remediation

Instead of embedding the JWT secret directly in the code, generate a strong and unpredictable JWT secret at runtime (e.g., within a static initialization block or from a secure configuration source) to mitigate predictable key attacks.