Go Restful API Boilerplate (dhax/go-base): Hardcoded JWT Secret "random" Allows Token Forgery and Auth Bypass

critical-cve-against-dependency · active

The dhax/go-base Go REST API boilerplate ships with a hardcoded JWT signing secret ("random") in both its template env file and a code-level default. Because the secret is public, an attacker can forge JWT tokens for any user — including admin roles — completely bypassing authentication on all protected endpoints. A fix was merged in PR #31 (May 17, 2026).

Affected packages

• gogithub.com/dhax/go-basesee advisory

Indicators of compromise

• file-pathdev.env (AUTH_JWT_SECRET=random)Template env file shipping the hardcoded JWT secret default.
• file-pathcmd/serve.go (viper.SetDefault("auth_jwt_secret", "random"))Code-level fallback that silently sets the weak signing key.
• file-pathauth/jwt/tokenauth.goCreates the HS256 JWT signer with the weak key; contained the broken single-value mitigation.

Sources

• ghsahttps://github.com/advisories/GHSA-mqq6-462x-jxmm
• ghsahttps://github.com/dhax/go-base/security/advisories/GHSA-mqq6-462x-jxmm
• ghsahttps://github.com/dhax/go-base/commit/cc82b9740fa6b08e0fad409cd4b418e240dd0e00