CVE-2017-18924

Name of the Vulnerable Software and Affected Versions: oauth2-server (aka node-oauth2-server) versions 3.1.1 and earlier

Description: The issue is related to the implementation of OAuth 2.0 without PKCE, which does not prevent authorization code injection. This is similar to a previously known issue. The vendor has stated that they do not consider this a vulnerability with the library itself, as the relevant RFC is an extension.

Recommendations: For versions 3.1.1 and earlier, consider implementing PKCE to prevent authorization code injection as a mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.