PT-2024-26385 · Unknown · @Fastify/Session

Kaanoz1

Published

2024-05-21

Updated

2024-05-22

CVE-2024-35220

CVSS v3.1

7.4

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions @fastify/session versions prior to 10.8.0 @fastify/session versions prior to 10.9.0

Description The issue arises when restoring the cookie from the session store, where the expires field is overridden if the maxAge field was set. This means a cookie is never correctly detected as expired, and thus expired sessions are not destroyed.

Recommendations For versions prior to 10.8.0, update to version 10.8.0 or later to resolve the issue. For versions prior to 10.9.0, update to version 10.9.0 or later to resolve the issue. As a temporary workaround, consider implementing custom session expiration logic to mitigate the risk of exploitation.

Exploit

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2024-35220

GHSA-PJ27-2XVP-4QXG

Affected Products

@Fastify/Session

PT-2024-26385 · Unknown · @Fastify/Session

CVE-2024-35220

Weakness Enumeration

Related Identifiers

Affected Products

References · 12