Insufficient Session Expiration Affecting @fastify/secure-session package, versions <7.3.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insufficient Session Expiration vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-FASTIFYSECURESESSION-6595953
  • published11 Apr 2024
  • disclosed10 Apr 2024
  • creditAdamKorcz

Introduced: 10 Apr 2024

CVE-2024-31999  (opens in a new tab)
CWE-613  (opens in a new tab)

How to fix?

Upgrade @fastify/secure-session to version 7.3.0 or higher.

Overview

@fastify/secure-session is a Create a secure stateless cookie session for Fastify

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the session removal process. Specifically, in the delete function, when a session is deleted, it is marked for deletion. However, if an attacker could gain access to the cookie, they could continue using it indefinitely.

Workaround

Include a "last update" field in the session, and treat "old sessions" as expired. Make sure to configure your cookie as "http only".

References

CVSS Scores

version 3.1