A critical security flaw in the sealed-env library exposes TOTP secrets in plaintext, allowing unauthorized access to sensitive authentication tokens.

The library embeds the operator's TOTP secret within a base64-encoded JWS payload that is not encrypted. Any entity with access to the minted tokens, such as log aggregators or CI/CD systems, can extract the secret in plaintext.

With a CVSS score of 9.1, this vulnerability poses a severe risk of credential compromise. Exposure of TOTP secrets effectively invalidates the multi-factor authentication mechanism for the affected environment, potentially granting attackers persistent access to critical systems and data.

Immediate Action: Update the sealed-env library to version 0.1.0-alpha.4 or later immediately.

Proactive Monitoring: Review CI/CD logs, container logs, and monitoring tools for the presence of leaked TOTP secrets and rotate all affected secrets immediately.

Compensating Controls: Implement secret scanning and log sanitization procedures to prevent sensitive tokens from being stored in cleartext in logs or environment variables.

Public Exploit Available: Not specified

This vulnerability represents a significant failure in secure secret management. It is imperative that affected organizations upgrade to the latest version of the library and immediately rotate any TOTP secrets that may have been exposed through logs or build environments.