@okta/oidc-middlewareOpen Redirect vulnerability

Description

An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.

Affected products and versions Okta OIDC Middleware prior to version 5.0.0.

Resolution The vulnerability is fixed in OIDC Middleware 5.0.0.

Recommendation

Update the @okta/oidc-middleware package to the latest compatible version. Followings are version details:

• Affected version(s): < 5.0.0
• Patched version(s): 5.0.0

References

• GHSA-58h4-9m7m-j9m4
• CVE-2022-3145
• CWE-601
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Open Redirect in urijs - CVE-2022-0868
• Directory Traversal vulnerability in serve-lite - CVE-2022-21192
• undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect - CVE-2022-31151
• @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350

Tags:

npm

@okta/oidc-middleware