Festify Secure Session Plugin Patches Issue Allowing Unlimited Session Renewal
CVE-2024-31999

7.4HIGH

Key Information:

Vendor: Fastify
Status: Fastify-secure-session
Vendor: CVE Published:; 10 April 2024

What is CVE-2024-31999?

The Fastify Secure Session library, designed to create a secure stateless cookie session, has a vulnerability related to the session removal process. When a session is deleted, it is merely marked for deletion, allowing an attacker, if they gain access to the session cookie, to exploit this flaw and retain session access indefinitely. This occurs because the library relies on the client-side encrypted cookie for session management, without properly invalidating the session on the server side. While version 7.3.0 includes a patch to address this issue, users are recommended to incorporate a 'last update' field within session data to flag outdated sessions as expired, enhancing the security of their applications.

Affected Version(s)

fastify-secure-session < 7.3.0

References

https://github.com/fastify/fastify-secure-session/securit...

x_refsource_CONFIRM

https://github.com/fastify/fastify-secure-session/commit/...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Apr 8, 2024

CVE-2024-31999 Data

JSON