Vulnerability in Fastify OAuth2 Affects User Session Security
CVE-2023-31999

8.8HIGH

Key Information:

Vendor: Npm
Status: @fastify/oauth2
Vendor: CVE Published:; 4 July 2023

What is CVE-2023-31999?

Fastify OAuth2 prior to version 7.2.0 utilized a static state parameter across all user sessions, significantly undermining its effectiveness in preventing Cross-Site Request Forgery attacks. This vulnerability allowed an attacker to exploit the predictable state parameter, manipulating user sessions. The release of version 7.2.0 introduces a crucial update by generating a unique state parameter for each user, enhancing security by storing it in a cookie with HTTP-only and SameSite=Lax attributes. This change not only bolsters protection against CSRF but also introduces breaking changes to how the checkStateFunction operates, now accepting the full Request object for better validation.

Affected Version(s)

@fastify/oauth2 v7.2.0

References

https://hackerone.com/reports/2020418

https://auth0.com/docs/secure/attack-protection/state-par...

https://github.com/fastify/fastify-oauth2/releases/tag/v7...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 4, 2023
Vulnerability Reserved
May 1, 2023

CVE-2023-31999 Data

JSON

Npm

What is CVE-2023-31999?

Affected Version(s)

References

CVSS V3.1

Timeline