oauth2-server@3.0.1 vulnerabilities

Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

Direct Vulnerabilities

Known vulnerabilities in the oauth2-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. Exploiting this vulnerability is possible via the redirect_uri parameter while making an authorization request.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for oauth2-server.

*
  • H
Access Restriction Bypass

oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

Affected versions of this package are vulnerable to Access Restriction Bypass via implementation of OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692.

NOTE: this vulnerability is disputed by the vendor, who states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.'

How to fix Access Restriction Bypass?

There is no fixed version for oauth2-server.

*