CVE-2023-25403
Description
CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
yf-exam v1.8.0 uses a fixed, username-derived JWT key, allowing authenticated users to forge tokens for any other user who logged in within 24 hours.
Vulnerability
CleverStupidDog yf-exam version 1.8.0 suffers from an authentication bypass due to a weak JSON Web Token (JWT) implementation. The JWT secret key is derived from the username by taking its double MD5 hash (encryptSecret()), which is fixed for the current month. The token payload contains the username and is valid for 24 hours (EXPIRE_TIME = 24 * 60 * 60 * 1000). An attacker with knowledge of any valid username can forge a token for that user without knowing their password. Logged-in users can also forge tokens for other users [1][2].
Exploitation
An attacker must first know a valid username on the system. No authentication is required for forging if the username is known, but the victim user must have logged in within the last 24 hours (the token validity window). The attacker crafts a JWT using the fixed algorithm (HMAC256), sets the username claim to the target username, and signs it using the double-MD5 hash of that username as the secret key. The forged token is then presented to any protected endpoint; the system validates the token and grants access with the target user's privileges [1]. A proof-of-concept (PoC) script provided in reference [1] demonstrates this.
Impact
Successful exploitation allows an attacker to completely bypass authentication and impersonate any user who has logged in within the past 24 hours. This includes administrators, granting full access to all system functions: user management, role/permission management, exam creation, and sensitive data access. The confidentiality, integrity, and availability of the entire application are compromised [1][2].
Mitigation
As of the publication date (2023-03-03), no official patched version has been released. The project appears to be unmaintained. The only workaround is to replace the fixed JWT secret with a proper, cryptographically random secret stored securely (e.g., in environment variables) and to enforce per-user or per-session secrets. Additionally, implement short-lived access tokens with refresh tokens. Without these changes, the vulnerability remains exploitable [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CleverStupidDog/yf-examdescription
- Range: = 1.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.