Unrated severityNVD Advisory· Published May 17, 2025· Updated May 19, 2025

Donetick Has Weak Default JWT Secret

CVE-2025-47945

Description

Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch.

Affected products

Donetick/Donetickllm-create
Range: <0.1.44
donetick/donetickv5
Range: < 0.1.44

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/donetick/donetick/commit/620b897bc0135f6668bb8a5562678104531108ebmitrex_refsource_MISC
github.com/donetick/donetick/commit/b9a6e177eefdc605dedbc5320f0d93d6573d1db6mitrex_refsource_MISC
github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986xmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000