Name of the Vulnerable Software and Affected Versions Redwood dbAuth versions 0.38.0 through 3.3.0 Redwood dbAuth versions 0.38.0 through 2.2.4

Description This issue affects the dbAuth "forgot password" feature in Redwood, allowing a malicious user to obtain a reset token for any user given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account. To determine if a project has been attacked, check logs for suspicious activity, such as a high volume of requests to the forgot-password API using non-existent emails, or if users report being unable to access their accounts.

Recommendations For Redwood dbAuth versions 0.38.0 through 3.3.0, upgrade to version 3.3.1 or later. For Redwood dbAuth versions 0.38.0 through 2.2.4, upgrade to version 2.2.5 or later. As a temporary workaround for users on all release lines, manually strip out resetToken and resetTokenExpiresAt in the forgotPassword.handler() function. For users on v3 and v2, use yarn patch to manually apply the fix if using yarn v3. For users on v3, disable the forgot password flow entirely as a temporary measure.