VYPR
Moderate severityNVD Advisory· Published Dec 9, 2021· Updated Aug 4, 2024

Session fixation in express-openid-connect

CVE-2021-41246

Description

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
express-openid-connectnpm
>= 2.3.0, < 2.5.22.5.2

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.