19 matches found
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
GHSA-XQ8M-7C5P-C2R6 Auth0 Next.js SDK has Improper Proxy Cache Lookup
Description In affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Which Projects are Affected? Users are affected if they meet all of the following preconditions: -...
CVE-2026-40155
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if...
CVE-2026-40155
The CVE concerns the Auth0 Next.js SDK. Affected versions: 4.12.0–4.17.1. Issue: when multiple simultaneous requests trigger a nonce retry, the proxy cache fetcher may perform improper lookups for token request results. Impact: affects projects using both the vulnerable SDK versions and the proxy...
CVE-2026-40155 Auth0 Next.js SDK has Improper Proxy Cache Lookup
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if...
PT-2026-33516
Name of the Vulnerable Software and Affected Versions Auth0 Next.js SDK versions 4.12.0 through 4.17.1 Description Simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for token request results. This occurs when projects use the proxy...
EUVD-2024-3141
Malicious code in bioql PyPI...
CVE-2024-49755
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
Leaked Token Reuse Attack
Duende IdentityServer is vulnerable to Leaked Token Reuse Attack. The vulnerability is due to insufficient validation of the cnf claim in DPoP access tokens by the LocalApiAuthenticationHandler. It allows attackers to misuse leaked tokens without requiring the private key needed for signing proof...
CVE-2024-49755
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
CVE-2024-49755
Duende IdentityServer (ASP.NET Core) Local API authentication handler improperly validates the cnf claim in DPoP access tokens. This lets an attacker use leaked DPoP tokens at local API endpoints without the private key, affecting only endpoints explicitly using LocalApiAuthenticationHandler for ...
GHSA-V9XQ-2MVM-X8XC Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...
Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...
Insecure Token Verification
@solid/identity-token-verifier has an insecure token verification. The vulnerability exists due to a flaw in the implementation of the identity token verifier library which allows an attacker to spoof another user's DPoP...
GHSA-XMH9-RG6F-J3MR Verification flaw in Solid identity-token-verifier
Impact Severity Any Pod on a Solid server using a vulnerable version of the identity-token-verifier library is at risk of a spoofed Demonstration of Proof-of-Possession DPoP token binding. This vulnerability could give total and complete access to a targeted Pod. Summary A verification flaw in th...
Verification flaw in Solid identity-token-verifier
Impact Severity Any Pod on a Solid server using a vulnerable version of the identity-token-verifier library is at risk of a spoofed Demonstration of Proof-of-Possession DPoP token binding. This vulnerability could give total and complete access to a targeted Pod. Summary A verification flaw in th...