Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qY2p4LWMzajMtNDRwcs0W8A
Insufficient Session Expiration in @cyyynthia/tokenize
Impact
A bug introduced in version 1.1.0 made Tokenize generate faulty tokens with NaN as a generation date. As a result, tokens would not properly expire and remain valid regardless of the lastTokenReset field.
Patches
Version 1.1.3 contains a patch that'll invalidate these faulty tokens and make new ones behave as expected.
Workarounds
None. Tokens do not hold the necessary information to perform invalidation anymore.
References
PR #1
For more information
If you have any questions or comments about this advisory:
- Open an issue in github.com/cyyynthia/tokenize
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qY2p4LWMzajMtNDRwcs0W8A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-jcjx-c3j3-44pr
References:
- https://github.com/cyyynthia/tokenize/security/advisories/GHSA-jcjx-c3j3-44pr
- https://github.com/advisories/GHSA-jcjx-c3j3-44pr
Blast Radius: 0.0
Affected Packages
npm:@cyyynthia/tokenize
Dependent packages: 2Dependent repositories: 2
Downloads: 145 last month
Affected Version Ranges: >= 1.1.0, < 1.1.3
Fixed in: 1.1.3
All affected versions: 1.1.0, 1.1.1, 1.1.2
All unaffected versions: 1.1.3