CVE-2025-47945 CRITICAL

CVE-2025-47945: Donetick Has Weak Default JWT Secret

Vendor Donetick
Product donetick
Weakness CWE-453
Published May 17, 2025
Last update May 19, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch.

Key dates

02Disclosure timeline

May 17, 2025 CVE published
May 19, 2025 Record updated