express-openid-connect@0.8.0 vulnerabilities

Express middleware to protect web applications using OpenID Connect.

Direct Vulnerabilities

Known vulnerabilities in the express-openid-connect package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Open Redirect

express-openid-connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect.

Affected versions of this package are vulnerable to Open Redirect when the middleware is applied to a catch all route.

If all routes under example.com are protected with the requiresAuth middleware, a visit to http://example.com//google.com will be redirected to google.com after login because the original url reported by the Express framework is not properly sanitised.

How to fix Open Redirect?

Upgrade express-openid-connect to version 2.7.2 or higher.

<2.7.2