CVE-2021-41580

Name of the Vulnerable Software and Affected Versions passport-oauth2 versions prior to 1.6.1

Description The issue concerns the mishandling of the error condition when failing to obtain an access token in certain use cases. Specifically, it is exploitable when an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token without attempting to use it.

Recommendations For versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider modifying the application to verify the access token by attempting to use it before granting authorization. Restrict access to the authentication mechanism to minimize the risk of exploitation until the update is applied.