Fluid Attacks Database

Description

FUXA contains an insecure default configuration vulnerability FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
npm	fuxa-server	>=0 <=1.2.7

Aliases

1. CVE-2025-699702. NVD-2025-699703. OSV-2025-699704. GCVE-2025-69970

References

1. https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.