Mitar

**Name of the Vulnerable Software and Affected Versions** ORY Fosite versions 0.30.2 through 0.34.1 **Description** The issue allows an attacker to override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback adapter. Attackers can provide custom URL query parameters to their loopback redirect URL, as well as override the host of the registered redirect URL. These attacks are only applicable in scenarios where the attacker has access over the loopback interface. **Recommendations** For versions 0.30.2 through 0.34.1, update to ORY Fosite v0.34.1 to resolve the issue. As a temporary workaround, consider restricting access to loopback interfaces to minimize the risk of exploitation. Avoid using custom URL query parameters in redirect URLs for loopback interfaces until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ORY Fosite versions prior to 0.34.1 **Description** The issue arises from the comparison of the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint using strings.ToLower instead of a simple string match. This allows an attacker to register a client with an allowed redirect URL, such as https://example.com/callback, and then perform an OAuth2 flow requesting a redirect URL like https://example.com/CALLBACK. As a result, the browser is redirected to https://example.com/CALLBACK with a potentially successful OAuth2 response, depending on the state of the overall OAuth2 flow. **Recommendations** For versions prior to 0.34.1, update to ORY Fosite version 0.34.1 to resolve the issue. As a temporary workaround, consider disabling the OAuth2 flow for clients with registered redirect URLs that may be exploited until a patch is applied. Restrict access to the OAuth2 Authorization Endpoint to minimize the risk of exploitation. Avoid using case-insensitive comparisons for redirect URLs in the affected OAuth2 flow until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** npm versions prior to 2.15.1 npm versions 3.x prior to 3.8.3 Node.js versions 0.10 prior to 0.10.44 Node.js versions 0.12 prior to 0.12.13 Node.js versions 4 prior to 4.4.2 Node.js versions 5 prior to 5.10.0 **Description** The issue allows remote HTTP servers to obtain sensitive information by reading Authorization headers, as the CLI in npm includes bearer tokens with arbitrary requests. An attacker could create an HTTP server to collect tokens and compromise the user's token by causing the npm CLI to make a request to that server. This compromised token could be used to perform actions that the user could do, including publishing new packages. **Recommendations** Update npm with `npm install npm@latest -g` Revoke your Tokens Enable Two-Factor Authentication