Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY2NnAtdzdxeC13djk4
Authentication Bypass in express-laravel-passport
All versions of express-laravel-passport
are vulnerable to an Authentication Bypass. The package fails to properly validate JWTs, allowing attackers to send HTTP requests impersonating other users.
Recommendation
Upgrade to version 2.0.5 or later.
Permalink: https://github.com/advisories/GHSA-v66p-w7qx-wv98JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY2NnAtdzdxeC13djk4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-v66p-w7qx-wv98
References:
- https://hackerone.com/reports/748214
- https://www.npmjs.com/advisories/1450
- https://github.com/advisories/GHSA-v66p-w7qx-wv98
Affected Packages
npm:express-laravel-passport
Dependent packages: 1Dependent repositories: 1
Downloads: 12 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.2