CVE-2024-35220 @fastify/session reuses destroyed session cookie

2024-05-2120:26:53

CWE-613

GitHub_M

www.cve.org

fastify session

cookie plugin

vulnerability

patched

cve-2024-35220

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0.

CNA Affected

[
  {
    "vendor": "fastify",
    "product": "session",
    "versions": [
      {
        "version": "< 10.9.0",
        "status": "affected"
      }
    ]
  }
]