Insufficiently protected credentials
Description
The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
Examples
Insecure Code
javascript
const jwt = require('jose'); jwt.JWT.sign({ sensitiveData: 'secret' }, 'secretKey');Secure Code
javascript
const jwt = require('jose'); const payload = { userId: 1 }; jwt.JWT.sign(payload, 'secretKey');Remediation
Review the code to ensure sensitive information is not being passed to the JWT token payload. Use a secure method to store and transmit sensitive data.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0404 |
| Category | Secrets |
| Severity | HIGH |
| CWE | CWE-522 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | jwt, sensitive data |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |