First published: Thu Dec 09 2021(Updated: )
Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Auth0 Express Openid Connect | >=2.3.0<2.5.2 | |
>=2.3.0<2.5.2 |
https://github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.