@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
- Severity:
- High
Description
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks.
Recommendation
Update the @fastify/oauth2 package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.2.0
- Patched version(s): 7.2.0
References
Related Issues
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
- @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- Tags:
- npm
- @fastify/oauth2
Anything's wrong? Let us know Last updated on November 10, 2023