Home > Vulnerability Database > CVE-2023-31999

Mend.io Vulnerability Database

CVE-2023-31999

Good to know:

Date: July 4, 2023

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.

Language: JS

Severity Score

8.8

Related Resources (5)

Url: https://github.com/fastify/fastify-oauth2/releases/tag/v7.2.0

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-31999

Url: https://auth0.com/docs/secure/attack-protection/state-parameters

Url: https://hackerone.com/reports/2020418

Url: https://www.mend.io/vulnerability-database/CVE-2023-31999

Severity Score

8.8

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Top Fix

Upgrade Version

Upgrade to version @fastify/oauth2 - 7.2.0

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-31999

Good to know:

Date: July 4, 2023

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?