express-openid-connect is vulnerable to session fixation. The attack exists because the library does not regenerate the session id and cookie when user logs in, allowing a malicious user to hijack the session using earlier generated cookies.
CPE | Name | Operator | Version |
---|---|---|---|
express-openid-connect | le | 2.5.1 | |
express-openid-connect | le | 2.5.1 |