CVE-2024-42475

Name of the Vulnerable Software and Affected Versions OAuth library for nim versions prior to 0.11

Description The state values generated by the generateState function do not have sufficient entropy, allowing an attacker to guess them and perform a CSRF attack, associating the user's session with the attacker's protected resources. The generateState function should use a cryptographically secure pseudorandom number generator (CSPRNG) to generate state values. The issue is resolved in version 0.11, which generates state values with at least 128 bits of entropy using a CSPRNG.

Recommendations For versions prior to 0.11, update to version 0.11 to resolve the issue, as it modifies the generateState function to generate state values with sufficient entropy using a CSPRNG. As a temporary workaround, consider using a CSPRNG to generate state values until the update to version 0.11 is applied.