Homepage
About Snyk

express-openid-connect@2.6.0 vulnerabilities

Express middleware to protect web applications using OpenID Connect.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the express-openid-connect package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Open Redirect

express-openid-connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect.

Affected versions of this package are vulnerable to Open Redirect when the middleware is applied to a catch all route.

If all routes under example.com are protected with the requiresAuth middleware, a visit to http://example.com//google.com will be redirected to google.com after login because the original url reported by the Express framework is not properly sanitised.

How to fix Open Redirect?

Upgrade express-openid-connect to version 2.7.2 or higher.

<2.7.2
Go back to all versions of this package