Session Cookie Hijacking Vulnerability in Fastify Session Plugin by Fastify
CVE-2024-35220

Currently unrated

Key Information:

Vendor: Fastify
Status: @fastify/session
Vendor: CVE Published:; 21 May 2024

What is CVE-2024-35220?

The session plugin for Fastify, @fastify/session, is susceptible to a session management vulnerability due to mishandled cookie expiration. The issue arises when restoring cookies from the session store, where the expires field may be incorrectly overridden if the maxAge field is set. This flaw prevents expired cookies from being recognized as such, leading to unrevoked sessions and increased risk of unauthorized access. Users are advised to update to version 10.8.0 or later to mitigate this concern.

References

https://github.com/fastify/session/security/advisories/GH...

https://github.com/fastify/session/issues/251

https://github.com/fastify/session/commit/0495ce5b534c455...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2024

CVE-2024-35220 Data

JSON