Homepage
About Snyk

Authentication Bypass Affecting otpauth package, versions <3.2.8

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-OTPAUTH-451697
  • published 23 Jul 2019
  • disclosed 22 Jul 2019
  • credit Henrik Sommerland
Report a new vulnerability Found a mistake?

Introduced: 22 Jul 2019

CVE NOT AVAILABLE CWE-287 Open this link in a new tab

How to fix?

Upgrade otpauth to version 3.2.8 or higher.

Overview

otpauth is an One Time Password (HOTP/TOTP) authentication library for Node.js and browser.

Affected versions of this package are vulnerable to Authentication Bypass. The totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None