The vulnerability arises because sealed‑env in enterprise mode embeds the operator’s literal TOTP secret in the JSON Web Signature payload of every unseal token that is issued. The JSON Web Signature payload is base64‑encoded but not encrypted, so any party that can observe a minted token—such as through CI build logs, container environment dumps, kubectl describe output, log aggregation services, error tracking, or other monitoring—can decode it and recover the TOTP secret in clear text. With the exposed secret an attacker can unseal other secrets stored by the library and compromise systems that rely on those secrets, leading to unauthorized access to sensitive data and potential privilege escalation.

Affected systems are applications that use the sealed‑env library shipped by david almeidac in its enterprise mode. Versions 0.1.0‑alpha.1 through 0.1.0‑alpha.3 embed the literal TOTP secret in each unseal token. The library is available for Node.js and Java/Spring Boot environments, so any Node.js or Java application that incorporates these specific versions is impacted.

The CVSS score of 9.1 indicates critical severity, and the EPSS score is not available, but the lack of credential or privileged prerequisites suggests a high probability of exploitation in practice. The vulnerability is not listed in CISA’s KEV catalog, but exposure arises whenever an attacker can access token data through logs or other observable outputs. An attacker who can read CI build logs, container environment dumps, or monitoring dashboards can immediately decode an unseal token and retrieve the TOTP secret. The vulnerability does not require code execution or privileged access, making it relatively easy to exploit in environments where logging is not sanitized.