CWE-321 Hard-coded Cryptographic Key

What this means

SiteShadow flagged an encryption/signing key embedded directly in code or committed configuration.

Why it matters

Hard-coded keys are easily leaked and hard to rotate.

• Repo/history exposure: once committed, keys spread to forks, caches, and CI.
• Shared key problem: a single leaked key can compromise many environments.
• Rotation is painful if systems assume a static key forever.

Safer examples

1) Load keys from a secret manager / environment

const signingKey = process.env.SIGNING_KEY;
if (!signingKey) throw new Error("Missing SIGNING_KEY");

2) Prefer managed keys (KMS/HSM) for high-value secrets

Use a cloud KMS/HSM where possible so raw keys are not widely distributed.

3) Implement rotation

Support multiple active keys (key IDs) and rotate regularly, especially after incidents.

How SiteShadow detects it (high level)

• Matches key-like values and high-risk key names (SIGNING_KEY, ENCRYPTION_KEY, privateKey).
• Uses heuristics to reduce false positives on obvious placeholders/examples.

References

• CWE-321: https://cwe.mitre.org/data/definitions/321.html

---

← Back to Vulnerability Library