Overview
The Common Vulnerabilities and Exposures (CVE) system has recently identified a critical vulnerability, labeled CVE-2025-47945, in the Donetick open-source application used for managing tasks and chores. This vulnerability can lead to a full user account takeover, potentially compromising system security and leading to data leakage. Given the widespread usage of Donetick, this vulnerability presents a significant risk to system administrators and users alike, necessitating immediate attention and mitigation.
Vulnerability Summary
CVE ID: CVE-2025-47945
Severity: Critical (CVSS score 9.1)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Full account takeover, potential system compromise, and data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Donetick | Prior to version 0.1.44
How the Exploit Works
The vulnerability arises from the application’s use of JSON Web Tokens (JWT) for user authentication. In versions of the application prior to 0.1.44, the JWT signing secret has a weak default value. The onus is on the system administrator to change this value to something more secure. However, this approach is inadequate and has led to the vulnerability being present in the live version of the app. If an attacker can predict or brute force the JWT signing key, they can generate valid JWTs and impersonate any user of the application, leading to a potential full account takeover.
Conceptual Example Code
The following is a conceptual example of how an attacker might exploit this vulnerability:
POST /user/login HTTP/1.1
Host: vulnerable-donetick.com
Content-Type: application/json
{ "username": "victim", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" }In this example, the attacker sends a POST request to the login endpoint of the vulnerable Donetick application. The attacker supplies a malicious JWT (in this case, a JWT they have generated using the weak default signing secret) in place of a legitimate JWT, allowing them to impersonate the victim.
Mitigation and Conclusion
The vulnerability has been addressed in version 0.1.44 of Donetick, and it is strongly recommended that users update to this version as soon as possible. As a temporary mitigation, Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) can be used to monitor and block malicious traffic. However, these measures should not replace the need for patching and updating the application. By staying current with updates and adopting strong cybersecurity practices, users can significantly reduce the risk posed by vulnerabilities such as CVE-2025-47945.