VU#458022: Open5GS WebUI uses ... Note

VU#458022: Open5GS WebUI uses a hard-coded secrets including JSON Web Token signing key

Open5GS WebUI has a vulnerability due to hardcoded default secrets, including the JWT signing key. This allows attackers to forge authentication tokens and gain administrative access. The WebUI, built with Node.js and Next.js, uses environment variables, by default set to "change-me," for cryptographic operations. This default is used for issuing and validating JWTs which leads to the vulnerability. Default configurations do not warn users about the insecure default secrets, making them easily exploitable. Attackers can create valid JWTs with the known default secret, bypassing CSRF protections. This allows unauthorized access to and modification of sensitive data via /api/db/* endpoints. The impact is full access to the WebUI and its permissions, including subscriber data. A patch is available introducing independent secrets via a .env file to fix this issue. Users without the patch should manually configure strong, unique, and secret values for SECRET_KEY and JWT_SECRET_KEY. Network access to the WebUI should be restricted with authentication gateways or proxies. The vulnerability was reported by Andrew Fasano from NIST, with a patch by Vijay Sarvepalli.