Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.
https://github.com/pommee/goaway/releases/tag/v0.62.16
https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L88
https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L69
https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L40
https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L15
https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L110
https://github.com/pommee/goaway/blob/v0.62.18/backend/api/auth.go#L48
https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730