VulnerableCode.io REST API

Lookup for vulnerable packages by Package URL.

GET /api/packages/72840?format=api

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/packages/72840?format=api",
    "purl": "pkg:npm/%40nocobase/auth@1.9.0-beta.18",
    "type": "npm",
    "namespace": "@nocobase",
    "name": "auth",
    "version": "1.9.0-beta.18",
    "qualifiers": {},
    "subpath": "",
    "is_vulnerable": false,
    "next_non_vulnerable_version": "1.9.0-beta.18",
    "latest_non_vulnerable_version": "2.0.0-alpha.52",
    "affected_by_vulnerabilities": [],
    "fixing_vulnerabilities": [
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49375?format=api",
            "vulnerability_id": "VCID-9uh7-mmqf-pkdb",
            "summary": "Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments\nCVE-2025-13877 is an **authentication bypass vulnerability caused by insecure default JWT key usage** in NocoBase Docker deployments.\n\nBecause the official one-click Docker deployment configuration historically provided a **public default JWT key**, attackers can **forge valid JWT tokens without possessing any legitimate credentials**. By constructing a token with a known `userId` (commonly the administrator account), an attacker can directly bypass authentication and authorization checks.\n\nSuccessful exploitation allows an attacker to:\n\n- Bypass authentication entirely\n- Impersonate arbitrary users\n- Gain full administrator privileges\n- Access sensitive business data\n- Create, modify, or delete users\n- Access cloud storage credentials and other protected secrets\n\nThe vulnerability is **remotely exploitable**, requires **no authentication**, and **public proof-of-concept exploits are available**.\nThis issue is functionally equivalent in impact to other JWT secret exposure vulnerabilities such as **CVE-2024-43441** and **CVE-2025-30206**.\n\nDeployments that used the default Docker configuration without explicitly overriding the JWT secret are affected.\n\n---",
            "references": [
                {
                    "reference_url": "https://docs.nocobase.com/welcome/getting-started/installation/docker-compose",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://docs.nocobase.com/welcome/getting-started/installation/docker-compose"
                },
                {
                    "reference_url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d"
                },
                {
                    "reference_url": "https://github.com/nocobase/nocobase",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/nocobase/nocobase"
                },
                {
                    "reference_url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mariadb/docker-compose.yml#L13"
                },
                {
                    "reference_url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-mysql/docker-compose.yml#L13"
                },
                {
                    "reference_url": "https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-postgres/docker-compose.yml#L11"
                },
                {
                    "reference_url": "https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/nocobase/nocobase/blob/main/docker/app-sqlite/docker-compose.yml#L11"
                },
                {
                    "reference_url": "https://github.com/nocobase/nocobase/commit/de4292ea7847dd26c6306445091769f8b9ee96d5",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/nocobase/nocobase/commit/de4292ea7847dd26c6306445091769f8b9ee96d5"
                },
                {
                    "reference_url": "https://v2.docs.nocobase.com/get-started/installation/docker",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://v2.docs.nocobase.com/get-started/installation/docker"
                },
                {
                    "reference_url": "https://vuldb.com/?ctiid.334033",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://vuldb.com/?ctiid.334033"
                },
                {
                    "reference_url": "https://vuldb.com/?id.334033",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://vuldb.com/?id.334033"
                },
                {
                    "reference_url": "https://vuldb.com/?submit.692205",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://vuldb.com/?submit.692205"
                },
                {
                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13877",
                    "reference_id": "CVE-2025-13877",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13877"
                },
                {
                    "reference_url": "https://github.com/advisories/GHSA-mv7p-34fv-4874",
                    "reference_id": "GHSA-mv7p-34fv-4874",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/advisories/GHSA-mv7p-34fv-4874"
                },
                {
                    "reference_url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mv7p-34fv-4874",
                    "reference_id": "GHSA-mv7p-34fv-4874",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mv7p-34fv-4874"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/72840?format=api",
                    "purl": "pkg:npm/%40nocobase/auth@1.9.0-beta.18",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/auth@1.9.0-beta.18"
                },
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/72698?format=api",
                    "purl": "pkg:npm/%40nocobase/auth@1.9.23",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/auth@1.9.23"
                },
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/72841?format=api",
                    "purl": "pkg:npm/%40nocobase/auth@2.0.0-alpha.52",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/auth@2.0.0-alpha.52"
                }
            ],
            "aliases": [
                "CVE-2025-13877",
                "GHSA-mv7p-34fv-4874"
            ],
            "risk_score": null,
            "exploitability": null,
            "weighted_severity": null,
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9uh7-mmqf-pkdb"
        }
    ],
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/auth@1.9.0-beta.18"
}

Package Instance