Session fixation in fastify-passport
CVE-2023-29019

8.1HIGH

Key Information:

Vendor

Fastify

Status
Fastify-passport
Vendor
CVE Published:
21 April 2023

What is CVE-2023-29019?

The @fastify/passport library for Fastify applications is susceptible to session fixation attacks when used for user authentication alongside @fastify/session for managing sessions. Malicious actors can exploit this vulnerability by injecting a valid sessionId cookie and tricking victims into logging in, allowing attackers to hijack active sessions. Recent versions of @fastify/passport address this issue by regenerating sessionId upon successful login, mitigating the risk of the attack. Users are strongly encouraged to upgrade to the latest versions to protect their applications.

Affected Version(s)

fastify-passport < 1.1.0 < 1.1.0

fastify-passport >= 2.0.0, < 2.3.0 < 2.0.0, 2.3.0

References

https://github.com/fastify/fastify-passport/security/advi...
x_refsource_CONFIRM
https://github.com/fastify/fastify-passport/commit/43c82c...
x_refsource_MISC
https://owasp.org/www-community/attacks/Session_fixation
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.