@fastify/passport is vulnerable to Session Fixation. The vulnerability exists because the user validations do not properly perform in the logIn
and logOut
functions of SecureSessionManager.ts
, which allows an attacker to hijack the victim’s session by tossing a valid sessionId
cookie in the victim’s browser and waiting for the victim to log in on the website. Note that the vulnerability is only applicable if the app is using @fastify/session
as the underlying session management mechanism.
github.com/advisories/GHSA-4m3m-ppvx-xgw9
github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11
github.com/fastify/fastify-passport/commit/52f9f6ebb6da6e3b56578e4ea17379b6d0f6645e
github.com/fastify/fastify-passport/pull/844
github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9
owasp.org/www-community/attacks/Session_fixation