> ## Documentation Index
> Fetch the complete documentation index at: https://learn.nexudus.com/llms.txt
> Use this file to discover all available pages before exploring further.

# NXD-2023-001

> A live Stripe secret API key was publicly exposed in the developer documentation, enabling unauthorized access to payment operations.

# Security Advisory: Stripe Secret Key Exposure in Documentation

| Field                | Value                                                |
| -------------------- | ---------------------------------------------------- |
| **Advisory ID**      | NXD-2023-001                                         |
| **Published**        | 2023-03-05                                           |
| **Severity**         | Critical (CVSS 3.1 Base Score: 9.1)                  |
| **CWE**              | CWE-798 — Use of Hard-coded Credentials              |
| **Affected Product** | Nexudus Developer Documentation / Stripe Integration |
| **Status**           | Disclosed                                            |

***

## Summary

A live Stripe secret API key (`sk_live_…`) was inadvertently included in API request examples on the public Nexudus developer documentation site. This key provided full access to a Stripe account.

***

## Vulnerability Details

### What happened?

The Nexudus REST API documentation at `https://developers.nexudus.com/reference/get-invoices` included a live Stripe secret key in example API requests. Stripe secret keys (prefixed `sk_live_`) grant full programmatic access to the associated Stripe account without additional authentication.

### Root Cause

A live production credential was used in documentation examples instead of a placeholder or test-mode key (`sk_test_`). This key was committed to the documentation source and rendered publicly on the developer portal.

***

## Impact

With the exposed key, an attacker could:

### 1. Enumerate Connected Accounts & Contacts

List all connected Stripe accounts, exposing business names, email addresses, and account metadata.

### 2. Create Unauthorized Charges

Initiate charges against any connected account's stored payment methods (credit/debit cards), billing arbitrary amounts to Nexudus clients.

### 3. Issue Unauthorized Refunds

Refund previous legitimate charges, causing financial loss and accounting discrepancies for affected businesses.

### 4. Access Payout History

View full payout history including amounts, dates, and bank account details — exposing confidential financial data.

### 5. Additional Operations

Access to balance transactions, disputes, customer records, subscriptions, and other Stripe API resources associated with the account.

***

## Impact Assessment

| Category        | Impact                                                                                                              |
| --------------- | ------------------------------------------------------------------------------------------------------------------- |
| Confidentiality | Full exposure of client email addresses, business names, payment methods (partial card numbers), and payout history |
| Integrity       | Unauthorized charges and refunds could be issued against any connected account                                      |
| Availability    | Mass refunds or disputes could disrupt payment processing for all connected businesses                              |
| Financial       | Direct financial loss through unauthorized charges or refunds across the entire client base                         |

***

## Exploitation Prerequisites

* **Authentication Required:** No — the key was publicly accessible in documentation.
* **Technical Skill:** Minimal — standard Stripe API calls with the exposed key.
* **Tools Required:** Any HTTP client (curl, Postman, or the Stripe CLI).

***

## Remediation

1. **Remove the exposed key** from all documentation pages and source repositories.
2. **Rotate the compromised key** — generate new Stripe API keys and update all services using the old credentials.
3. **Audit Stripe logs** — review Stripe's request logs for any unauthorized usage during the exposure window.
4. **Use test keys in documentation** — ensure only `sk_test_` keys or clearly-marked placeholders (e.g., `sk_live_YOUR_KEY_HERE`) appear in public examples.
5. **Implement secret scanning** — enable automated secret detection in CI/CD pipelines and documentation publishing workflows to prevent future credential leaks.

***

## Timeline

| Date       | Event                                               |
| ---------- | --------------------------------------------------- |
| 2023-03-01 | Stripe live key included in developer documentation |
| 2023-03-08 | Vulnerability reported to Nexudus                   |
| 2023-03-08 | Key rotated and removed from documentation          |
| 2026-06-08 | Public disclosure                                   |

***

## Credit

Reported by Efran via responsible disclosure.
