CVE-2023-31999

Name of the Vulnerable Software and Affected Versions @fastify/oauth2 versions prior to 7.2.0

Description The issue arises from the statically generated state parameter used across all requests for all users, which should be unique per user to prevent Cross-Site-Request-Forgery attacks. The purpose of the Oauth2 state parameter is to prevent such attacks by being connected to the user's session for validation. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of a statically generated state parameter. The checkStateFunction function has undergone a breaking change, now accepting the full Request object.

Recommendations For versions prior to 7.2.0, update to version 7.2.0 or later, which changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set, generating the state for every user. As a temporary workaround, consider implementing a unique state parameter per user and connecting it to the user's session to allow server validation. Restrict access to the checkStateFunction function until the update is applied.