Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03cDk5LTM3OTgtZjg1Y803ag
URL Redirection to Untrusted Site ('Open Redirect') in express-openid-connect
Impact
Users of the requiresAuth
middleware, either directly or through the default authRequired
option, are vulnerable to an Open Redirect when the middleware is applied to a catch all route.
If all routes under example.com
are protected with the requiresAuth
middleware, a visit to http://example.com//google.com
will be redirected to google.com
after login because the original url reported by the Express framework is not properly sanitised.
Am I affected?
You are affected by this vulnerability if you are using the requiresAuth
middleware on a catch all route or the default authRequired
option and express-openid-connect
version <=2.7.1
.
How to fix that?
Upgrade to version >=2.7.2
Will this update impact my users?
The fix provided in the patch will not affect your users.
Permalink: https://github.com/advisories/GHSA-7p99-3798-f85cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cDk5LTM3OTgtZjg1Y803ag
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
Identifiers: GHSA-7p99-3798-f85c, CVE-2022-24794
References:
- https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7p99-3798-f85c
- https://github.com/auth0/express-openid-connect/commit/0947b92164a2c5f661ebcc183d37e7f21de719ad
- https://nvd.nist.gov/vuln/detail/CVE-2022-24794
- https://github.com/advisories/GHSA-7p99-3798-f85c
Blast Radius: 21.8
Affected Packages
npm:express-openid-connect
Dependent packages: 21Dependent repositories: 807
Downloads: 249,407 last month
Affected Version Ranges: < 2.7.2
Fixed in: 2.7.2
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.7.0, 2.7.1
All unaffected versions: 2.7.2, 2.7.3, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.17.0, 2.17.1