CVE-2026-45091

描述

In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. An attacker with (a) the master key (e.g. from a separate compromise such as a leaked CI secret) and (b) any single leaked unseal token can use the extracted TOTP secret to mint new valid unseal tokens for any future deploy indefinitely, breaking the second-factor property the library claimed. Patched in 0.1.0-alpha.4 by replacing the embedded secret with a salt-bound HMAC derivative (`enterprise_epoch = HMAC(totpSecret, salt || "epoch-v1")`). The TOTP secret never leaves the operator's machine in the new design. The wire format change is incompatible — files sealed by affected versions must be re-sealed and the TOTP secret rotated. Full migration playbook in CHANGELOG.md. Reported by an external reviewer who decoded the payload of a real minted token and confirmed bit-for-bit equality with the operator's .env.local TOTP secret.

受影響套件(2)

• Maven/io.github.davidalmeidac:sealed-env-corefrom 0, < 0.1.0-alpha.4
• npm/sealed-envfrom 0, < 0.1.0-alpha.4

CVSS 分數

參考連結(3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-45091
• PATCHhttps://github.com/davidalmeidac/sealed-env
• WEBhttps://github.com/davidalmeidac/sealed-env/security/advisories/GHSA-x3r2-fj3r-g5mv