Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server
- Severity:
- Medium
Description
Firebase JavaScript SDK utilizes a “FIREBASE_DEFAULTS” cookie to store configuration data, including an “_authTokenSyncURL” field used for session synchronization.
Recommendation
Update the firebase package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.9.0
- Patched version(s): 10.9.0
References
Related Issues
- AngularJS allows attackers to bypass common image source restrictions - angular - CVE-2024-8373
- Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools - CVE-2025-9611
- Strapi allows Server-Side Request Forgery in Webhook function - CVE-2024-52588
- happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
You might also like:
- Tags:
- npm
- firebase
Anything's wrong? Let us know Last updated on November 18, 2024


