NodeJS/oauth2-server/3.1.0-beta.1
Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js
https://www.npmjs.com/package/oauth2-server
MIT
2 Security Vulnerabilities
Code Injection in oauth2-server
- https://nvd.nist.gov/vuln/detail/CVE-2017-18924
- https://github.com/advisories/GHSA-2fw4-mgq9-39cx
- https://github.com/oauthjs/node-oauth2-server/issues/637
- https://github.com/oauthjs/node-oauth2-server/pull/452
- https://codeburst.io/missing-the-point-in-securing-oauth-2-0-83968708b467
- https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15
- https://tools.ietf.org/html/rfc7636
oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of
RFC 6749 compliantis valid and not misleading and I also therefore wouldn't describe this as a
vulnerabilitywith the library per se.'
oauth2-server through 3.1.1 vulnerable to Open Redirect
- https://nvd.nist.gov/vuln/detail/CVE-2020-26938
- https://github.com/oauthjs/node-oauth2-server/issues/637
- https://github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/grant-types/authorization-code-grant-type.js#L143
- https://github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/validator/is.js#L12
- https://tools.ietf.org/html/rfc3986#section-3
- https://tools.ietf.org/html/rfc6749#section-3.1.2
- https://github.com/advisories/GHSA-4rg6-fm25-gc34
In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri
parameter received during the authorization and token request is checked against an incorrect URI pattern ([a-zA-Z][a-zA-Z0-9+.-]+:
) before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741.
16 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.1.1 | MIT | 2 | 2020-07-14 - 18:27 | about 4 years |
3.1.0 | MIT | 2 | 2020-07-01 - 08:14 | about 4 years |
3.1.0-rc1 | MIT | 2 | 2020-06-27 - 14:13 | about 4 years |
3.1.0-beta.1 | MIT | 2 | 2018-08-27 - 15:20 | about 6 years |
3.0.2 | MIT | 2 | 2020-05-24 - 14:58 | over 4 years |
3.0.1 | MIT | 2 | 2018-08-27 - 11:35 | about 6 years |
3.0.0 | MIT | 2 | 2017-08-09 - 15:41 | about 7 years |
3.0.0-b4 | MIT | 2 | 2017-04-26 - 17:00 | over 7 years |
3.0.0-b3 | MIT | 2 | 2016-11-10 - 11:58 | almost 8 years |
3.0.0-b2 | SEE LICENSE IN LICENSE | 2 | 2016-03-02 - 20:40 | over 8 years |
3.0.0-b3.1 | MIT | 2 | 2016-11-12 - 03:09 | almost 8 years |
3.0.0-b1 | SEE LICENSE IN LICENSE | 2 | 2016-03-02 - 20:39 | over 8 years |
2.4.1 | Apache-2.0 | 2 | 2015-06-29 - 09:39 | about 9 years |
2.4.0 | Apache-2.0 | 2 | 2015-03-11 - 15:46 | over 9 years |
2.3.0 | Apache-2.0 | 2 | 2014-09-14 - 21:19 | about 10 years |
2.2.2 | Apache-2.0 | 2 | 2014-07-23 - 07:40 | about 10 years |