CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
@fastify/session is vulnerable to Insufficient Session Expiration. The vulnerability is due to the expires field being overridden if the maxAge
field is set, which prevents cookies from being correctly detected as expired, thus expired sessions are not destroyed. This allows attackers to maintain sessions indefinitely, potentially leading to unauthorized access.