@solid/identity-token-verifier@0.5.0 vulnerabilities

Verifies Solid access tokens via their WebID claim, and thus asserts ownership of WebIDs.

Direct Vulnerabilities

Known vulnerabilities in the @solid/identity-token-verifier package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Authentication Bypass

@solid/identity-token-verifier is a Verifies Solid access tokens via their WebID claim, and thus asserts ownership of WebIDs.

Affected versions of this package are vulnerable to Authentication Bypass. A verification flaw in the implementation of the identity token verifier library (https://github.com/solid/identity-token-verifier) allows DPoP proofs to be spoofed.

DPoP proofs are used to bind access tokens to a private key meant to be in sole possession of a specific user. Instead of verifying against the hash of an embedded public key, the library instead verifies against a field that an attacker can modify to spoof another user’s DPoP.

A stolen DPoP proof, when used in the right context, therefore allows the rebinding of a DPoP-bound access token. Any attacker in possession of a targeted access token could build an attack environment to replay it on any Pod service with this vulnerability.

How to fix Authentication Bypass?

Upgrade @solid/identity-token-verifier to version 0.5.2 or higher.

<0.5.2