CVE-2023-46943: 
JavaScript vulnerability analysis and mitigation

A critical security vulnerability (CVE-2023-46943) was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The vulnerability stems from a hardcoded HMAC secret used for generating tokens, which was set to the value "secret". This vulnerability was disclosed on January 12, 2024, and affects all versions of the package prior to version 1.0.0-rc.8 (NVD, DevHub).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The issue is classified under CWE-798 (Use of Hard-coded Credentials). The technical nature of the vulnerability involves the use of a predictable, hardcoded HMAC secret for generating JSON Web Tokens (JWTs), which is a fundamental security component of the application (NVD).

The vulnerability allows attackers to create valid JSON Web Tokens (JWTs) using the known hardcoded secret. This enables unauthorized access to important information and actions within the application. The impact is particularly severe as it affects both confidentiality and integrity of the system, while not affecting availability (DevHub).

The vulnerability has been fixed in version 1.0.0-rc.8 of @evershop/evershop through the implementation of session authentication. Users are advised to upgrade to this version or later to mitigate the risk (DevHub).