CVE-2024-57432
Published: 31 January 2025
Summary
CVE-2024-57432 is a high-severity Improper Authentication (CWE-287) vulnerability in Macrozheng Mall-Tiny. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires establishment and management of cryptographic keys for JWT signing, directly preventing the use of hardcoded static keys that enable forgery.
Mandates secure management of cryptographic authenticators, including protection and rotation of JWT signing keys to avoid hardcoding and unauthorized disclosure.
Ensures session authenticity through cryptographic mechanisms, preventing impersonation attacks via forged JWTs that bypass authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The hardcoded JWT signing keys enable forging authentication tokens for any user (T1606: Forge Web Credentials) and allow exploitation of the public-facing web application for authentication bypass (T1190: Exploit Public-Facing Application).
NVD Description
macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it is possible to forge the JWT…
more
of any user to achieve authentication bypass.
Deeper analysisAI
CVE-2024-57432 is an insecure permissions vulnerability in macrozheng mall-tiny version 1.0.1. The issue stems from hardcoded JWT signing keys that remain unchanged across deployments. User information is explicitly embedded in the JWT payloads, which the application relies on for subsequent privilege management, enabling attackers to forge valid JWTs for arbitrary users and bypass authentication entirely. The vulnerability is classified under CWE-287 (Improper Authentication) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any unauthenticated attacker with network access to the application can exploit this flaw due to its low attack complexity and lack of prerequisites. By obtaining the static signing key—potentially through source code review, decompilation, or public disclosure—attackers can craft JWTs impersonating any user, including administrators. This grants unauthorized access to sensitive user data and privileged functions, resulting in high confidentiality impact without affecting integrity or availability.
Mitigation guidance is available in the referenced advisory at https://github.com/peccc/restful_vul/blob/main/mall_tiny_weak_jwt/mall_tiny_weak_jwt.md, published alongside the CVE on 2025-01-31. Security practitioners should review it for patching instructions, key rotation recommendations, or configuration changes to secure JWT handling in mall-tiny deployments.
Details
- CWE(s)