Annotation tool: token forgery using jwt secret to claim super admin role in deepset-ai/haystack


Reported on

Mar 22nd 2023

Although the annotator tool's source code is not directly provided in the repository a docker image is provided. From there it is easy to get access to the source code by either extracting the docker tar image, which can be exported from docker itself, or connecting to the container with an interactive session and browsing the application files.

The vulnerability is based on the hard coded value of config.jwt.secret = Hm************tA which is located at config/config.production.js Using this value it is possible to create new jwt tokens that have the super_admin role and allow a low level user to make previously restricted actions.

To make the attack work the same method that was used for producing the original tokens must be applied for the forged ones. The easiest way to do this is by making some modification to the existing back-end code of the annotation tool. For example adding the lines provided below in the getSignedJWT function found in app/service/userService.js. Running a locally host version of the modded back-end and logging in with a simple user would also produce a new jwt token with the super_admin role. To use this new token simply read it from /tmp/test.txt inside the running container or host system and change the value of dpst-token found in local storage of your browser for the domain that was used to make the original login.

Proof of Concept

 const fs = require('fs');
    let x =
        id: 2,
        email: "",
        role: "super_admin",

    fs.writeFile('/tmp/test.txt', x, err => {
      if (err) {


This impacts all the current versions of the annotation tool that are hosted either online or on company's internal network. Because the containers used will share the same secret key and that means that the forged tokens produced this way will work for all of them. Further more because of the way that the authentication is handled in the application it also means that you do not even need a valid account to login. Just a forged token and you have access to the application as a super admin.

This can affect both the integrity and availability of the tool and data. A logged in super admin can log in as any other user which means that he can make changes on behalf of them and mess up the annotation process and the results should no longer be trusted as training data for a QA model. Also with a scripted attack that removes created user the use of the tool can become very difficult.

PS: The permalink below is not real, due to the nature of the bug, it is just used to pass the mandatory check.

We are processing your report and will contact the deepset-ai/haystack team within 24 hours. 2 months ago
We have contacted a member of the deepset-ai/haystack team and are waiting to hear back 2 months ago
deepset-ai/haystack maintainer
2 months ago


Thank you for contacting the Security Team at deepset.

We have investigated your report and already provided a fix for the vulnerability. We are currently in the process of informing our impacted users and we kindly ask you to not disclose the vulnerability until we have carried out appropriate response.

deepset-ai/haystack maintainer validated this vulnerability 2 months ago
Nikolaos Raftogiannis has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
deepset-ai/haystack maintainer marked this as fixed in 0.1.30 with commit 5fc849 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
deepset-ai/haystack maintainer published this vulnerability 2 months ago
to join this conversation