CVE-2025-69985
Published: 24 February 2026
Summary
CVE-2025-69985 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires unique identification and authentication of non-organizational users, preventing remote unauthenticated attackers from bypassing JWT validation via spoofed Referer header.
Enforces approved authorizations for access to protected resources like the /api/runscript endpoint, countering the middleware's improper trust in the Referer header.
Directly identifies, reports, and corrects the flaw in server/api/jwt-helper.js that enables authentication bypass and subsequent RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web application (T1190) that allows unauthenticated remote attackers to access a protected API endpoint for executing arbitrary Node.js code (T1059.007).
NVD Description
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT…
more
authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
Deeper analysisAI
CVE-2025-69985 is an authentication bypass vulnerability in FUXA versions 1.2.8 and prior, enabling remote code execution (RCE). The issue resides in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. By spoofing this header to match the server's host, attackers can bypass JSON Web Token (JWT) authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel). It was published on 2026-02-24.
A remote unauthenticated attacker can exploit this flaw over the network with low complexity and no privileges required. By crafting requests with a forged Referer header, the attacker bypasses authentication checks and gains access to the protected /api/runscript endpoint. This allows execution of arbitrary Node.js code on the server, potentially leading to full system compromise, data theft, or further lateral movement.
References include a GitHub Gist at https://gist.github.com/lihy10/8cb2dd65ebf1385f12a7e00e25a50d40, which appears to detail the vulnerability or proof-of-concept, and the source code of the affected jwt-helper.js file at https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js. No specific patch or mitigation details are outlined in the provided information.
Details
- CWE(s)