@node-oauth/oauth2-server@5.2.2-rc.0

Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

  • latest version

    5.3.0

  • latest non vulnerable version

  • first published

    4 years ago

  • latest version published

    3 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the @node-oauth/oauth2-server package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Improper Validation of Unsafe Equivalence in Input

    @node-oauth/oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

    Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the token process. An attacker can obtain unauthorized access to bearer tokens by brute-forcing weak or invalid code_verifier values during the PKCE token exchange, especially if an authorization code has been intercepted. This is possible because the server does not enforce RFC7636 requirements for the code_verifier and does not revoke the authorization code after failed attempts, allowing repeated online guesses.

    How to fix Improper Validation of Unsafe Equivalence in Input?

    Upgrade @node-oauth/oauth2-server to version 5.3.0 or higher.

    <5.3.0