Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-g8x5-p9qc-cf95

GitHub Security Advisory

@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

All versions of @fastify/oauth2 used a statically generated `state` parameter at startup time and were used across all requests for all users.
The purpose of the Oauth2 `state` parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it.

### Patches

v7.2.0 changes the default behavior to store the `state` in a cookie with the `http-only` and `same-site=lax` attributes set. The state is now by default generated for every user.

Note that this contains a breaking change in the `checkStateFunction` function, which now accepts the full `Request` object.

### Workarounds

There are no known workarounds.

### References

* [Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters](https://auth0.com/docs/secure/attack-protection/state-parameters)

Affected Packages

npm @fastify/oauth2
Affected versions: 0 (fixed in 7.2.0)

Related CVEs

CVE-2023-31999

Key Information

GHSA ID
GHSA-g8x5-p9qc-cf95
Published
July 5, 2023 9:36 PM
Last Modified
July 6, 2023 8:39 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
@fastify/oauth2
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.