@cloudflare/workers-oauth-provider@0.0.4-0 vulnerabilities
OAuth provider for Cloudflare Workers
latest version
0.0.5
latest non vulnerable version
first published
2 months ago
latest version published
16 days ago
licenses detected
- >=0
Direct Vulnerabilities
Known vulnerabilities in the @cloudflare/workers-oauth-provider package. This does not include vulnerabilities belonging to this package’s dependencies.
How to fix?
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
@cloudflare/workers-oauth-provider is an OAuth provider for Cloudflare Workers Affected versions of this package are vulnerable to Open Redirect due to the missing validation of the redirect URI on the authorize endpoint. An attacker can impersonate a user and potentially steal credentials by tricking a victim into visiting a malicious website. This is only exploitable if the OAuth server's authorized callback is designed to auto-approve authorizations that appear to come from an OAuth client that the victim has previously authorized. How to fix Open Redirect? Upgrade | <0.0.5 |
@cloudflare/workers-oauth-provider is an OAuth provider for Cloudflare Workers Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the implementation of the PKCE mechanism. An attacker can bypass the PKCE protection by performing a downgrade attack. This is only exploitable if the server is configured to accept OAuth 2.0 instead of the required OAuth 2.1. How to fix Improper Verification of Cryptographic Signature? Upgrade | <0.0.5 |