express-openid-connect@2.0.0 vulnerabilities

Express middleware to protect web applications using OpenID Connect.

  • latest version

    2.17.1

  • latest non vulnerable version

  • first published

    6 years ago

  • latest version published

    1 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the express-openid-connect package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Open Redirect

    express-openid-connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect.

    Affected versions of this package are vulnerable to Open Redirect when the middleware is applied to a catch all route.

    If all routes under example.com are protected with the requiresAuth middleware, a visit to http://example.com//google.com will be redirected to google.com after login because the original url reported by the Express framework is not properly sanitised.

    How to fix Open Redirect?

    Upgrade express-openid-connect to version 2.7.2 or higher.

    <2.7.2