CVE-2023-31999

Description

### Impact All versions of @fastify/oauth2 used a statically generated `state` parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 `state` parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. ### Patches v7.2.0 changes the default behavior to store the `state` in a cookie with the `http-only` and `same-site=lax` attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the `checkStateFunction` function, which now accepts the full `Request` object. ### Workarounds There are no known workarounds. ### References * [Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters](https://auth0.com/docs/secure/attack-protection/state-parameters)

How to fix CVE-2023-31999

To remediate CVE-2023-31999, upgrade the affected package to a fixed version below.

• —upgrade to 7.2.0 or later

Is CVE-2023-31999 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 7.2.0

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-35935
• PATCHgithub.com/fastify/fastify-oauth2
• WEBauth0.com/docs/secure/attack-protection/state-parameters
• WEBgithub.com/fastify/fastify-oauth2/commit/bff756b456cbb769080631af2beb85671ff4c79c