1. JWT_SECRET Empty String Fallback Exposes Backend to Token Forgery Risk
A critical authentication bypass vector has been identified in backend configuration files where JWT_SECRET defaults to an empty string when not explicitly set. The vulnerability exists in backend/src/config/env.js and enables attackers to forge valid JWT tokens without knowledge of the intended secret key, effectively...