Lucene search

K
githubGitHub Advisory DatabaseGHSA-PJ27-2XVP-4QXG
HistoryMay 21, 2024 - 6:09 p.m.

@fastify/session reuses destroyed session cookie

2024-05-2118:09:57
CWE-613
GitHub Advisory Database
github.com
7
fastify session cookie
session expiration
issue patch

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

AI Score

7

Confidence

Low

EPSS

0

Percentile

15.5%

Impact

When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed.

Patches

Updating to v10.9.0 will solve this.

Workarounds

None

References

Publicly reported at: https://github.com/fastify/session/issues/251

Affected configurations

Vulners
Node
fastifysessionRange<10.9.0
VendorProductVersionCPE
fastifysession*cpe:2.3:a:fastify:session:*:*:*:*:*:*:*:*

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

AI Score

7

Confidence

Low

EPSS

0

Percentile

15.5%

Related for GHSA-PJ27-2XVP-4QXG