CVE-2025-47945

Description

Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch.

CVSS v3.1 Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weakness Type (CWE)

CWE-453 CWE-453

CWE-1188 CWE-1188

Affected Products

Vendor	Product	Versions
donetick	donetick	< 0.1.44

References

Advisories & Patches

https://github.com/donetick/donetick/commit/620b897bc0135f6668bb8a5562678104531108eb https://github.com/donetick/donetick/commit/b9a6e177eefdc605dedbc5320f0d93d6573d1db6 https://github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986x https://github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986x

Exploits

https://github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986x https://github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986x

Frequently Asked Questions

What is CVE-2025-47945? +

Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch. It has a CVSS v3.1 base score of 9.1 (CRITICAL).

How severe is CVE-2025-47945? +

CVE-2025-47945 has a CVSS v3.1 score of 9.1 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

What products are affected by CVE-2025-47945? +

CVE-2025-47945 affects products from donetick, specifically: donetick. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-47945? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-61926

Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s …

CVE-2025-30206 9.8

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT …

CVE-2024-21411 8.8

Skype for Consumer Remote Code Execution Vulnerability

CVE-2024-49120 8.1

Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2025-48563 7.8

In onNullBinding of RemoteFillService.java, there is a possible background activity launch due to an insecure default value. This could lead …

CVE-2024-41255 7.5

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a …