Typescript Jwt Unsafe Empty Password
Description
This vulnerability detector identifies JWT tokens signed with empty or null passwords in TypeScript applications using the jsonwebtoken library. When JWT tokens are signed without a proper secret key, they can be easily forged by attackers, completely compromising the authentication mechanism and allowing unauthorized access to protected resources.
Detection Strategy
• Scans TypeScript files for imports or usage of the 'jsonwebtoken' library
• Identifies calls to the JWT signing method (typically 'jwt.sign' or similar based on import alias)
• Analyzes the secret/password parameter passed to the signing function
• Reports a vulnerability when the secret parameter is empty string, null, undefined, or otherwise invalid
• Flags cases where JWT tokens are being signed without proper cryptographic keys
Vulnerable code example
import * as jwt from 'jsonwebtoken';
// VULNERABLE: jwt.sign with empty secret literal
function vulnerableJwtEmptySecret(): string {
return jwt.sign(
{ user: "admin" },
"" // Empty secret makes JWT easily forgeable
);...✅ Secure code example
import * as jwt from 'jsonwebtoken';
// SECURE: jwt.sign with strong secret from environment
function secureJwtFromEnv(): string {
const secret = process.env.JWT_SECRET || 'fallback-secret-key-min-32-chars';
return jwt.sign(
{ user: "admin" },
secret // Safe: non-empty secret from environment variable...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.