oauth2-server@3.0.1 vulnerabilities

Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

latest version

3.1.1
first published

14 years ago
latest version published

4 years ago
licenses detected
- MIT
  >=3.0.0-b3
View oauth2-server package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the oauth2-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the value of the `redirect_uri` parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. Exploiting this vulnerability is possible via the `redirect_uri` parameter while making an authorization request. How to fix Cross-site Scripting (XSS)? There is no fixed version for `oauth2-server`.	*
H Access Restriction Bypass oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js Affected versions of this package are vulnerable to Access Restriction Bypass via implementation of OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: this vulnerability is disputed by the vendor, who states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.' How to fix Access Restriction Bypass? There is no fixed version for `oauth2-server`.	*

Cross-site Scripting (XSS)

oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. Exploiting this vulnerability is possible via the redirect_uri parameter while making an authorization request.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for oauth2-server.

Access Restriction Bypass

oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

Affected versions of this package are vulnerable to Access Restriction Bypass via implementation of OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692.

NOTE: this vulnerability is disputed by the vendor, who states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.'

How to fix Access Restriction Bypass?

There is no fixed version for oauth2-server.

Go back to all versions of this package

oauth2-server@3.0.1 vulnerabilities

Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities