Session Fixation
CVE-2023-29019
Summary
The package @fastify/passport is a port of the passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions prior to 1.1.0, and 2.0.x prior to 2.3.0 for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. These fastify applications rely on the @fastify/passport library for user authentication. The login and user validation are performed by the "authenticate" function. When executing this function, the "sessionId" is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid "sessionId" cookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of @fastify/passport regenerate "sessionId" upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- NONE
- HIGH
- NONE
CWE-384 - Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
References
Advisory Timeline
- Published