CVE-2024-31999

Name of the Vulnerable Software and Affected Versions @festify/secure-session versions prior to 7.3.0

Description The issue exists in the session removal process of @festify/secure-session. When a session is deleted, it is marked for deletion, but if an attacker gains access to the cookie, they could keep using it forever. The plugin creates a secure stateless cookie session for Fastify, encrypting data in the session with a secret key and attaching the ciphertext as a cookie value. When an encrypted cookie with a matching session name is provided with subsequent requests, it decrypts the ciphertext to get the data and creates a new session.

Recommendations For versions prior to 7.3.0, update to version 7.3.0 to resolve the issue. As a temporary workaround, consider including a "last update" field in the session and treat "old sessions" as expired. Make sure to configure your cookie as "http only" to minimize the risk of exploitation.