Skip to main content

Session Fixation


Severity High
Score 8.1/10


The package @fastify/passport is a port of the passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions prior to 1.1.0, and 2.0.x prior to 2.3.0 for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. These fastify applications rely on the @fastify/passport library for user authentication. The login and user validation are performed by the "authenticate" function. When executing this function, the "sessionId" is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid "sessionId" cookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of @fastify/passport regenerate "sessionId" upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.

  • LOW
  • HIGH
  • NONE
  • HIGH
  • NONE

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Advisory Timeline

  • Published