Lucene search

GoogleOSV:GHSA-PJ27-2XVP-4QXG

HistoryMay 21, 2024 - 6:09 p.m.

@fastify/session reuses destroyed session cookie

2024-05-2118:09:57

Google

osv.dev

fastify

session

expiration

issue

security

update

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

Impact

When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed.

Patches

Updating to v10.9.0 will solve this.

Workarounds

None

References

Publicly reported at: https://github.com/fastify/session/issues/251

CPENameOperatorVersion
@fastify/sessionlt10.9.0

CPE	Name	Operator	Version
	@fastify/session	lt	10.9.0

References

github.com/fastify/session

github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f

github.com/fastify/session/issues/251

github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg

nvd.nist.gov/vuln/detail/CVE-2024-35220

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

Related for OSV:GHSA-PJ27-2XVP-4QXG