@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
- Severity:
- High
Description
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks.
Recommendation
Update the @fastify/oauth2 package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.2.0
- Patched version(s): 7.2.0
References
Related Issues
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
- Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
- @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
- Tags:
- npm
- @fastify/oauth2
Anything's wrong? Let us know Last updated on November 10, 2023