GHSA-7rg2-qxmf-hhx9
GitHub Security Advisory
Session fixation in express-openid-connect
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
### Overview
Versions `2.3.0` up to and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities.
### Am I affected?
You are affected by this vulnerability if you are using `express-openid-connect` version `2.3.0` up to and including `2.5.1` and use a custom session store.
### How to fix that?
Upgrade to version `>= 2.5.2`.
### Will this update impact my users?
The fix provided in patch will not affect your users.
Affected Packages
npm
express-openid-connect
Affected versions:
2.3.0
(fixed in 2.5.2)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: July 12, 2025 6:29 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.