Moderate severityNVD Advisory· Published Dec 9, 2021· Updated Aug 4, 2024
Session fixation in express-openid-connect
CVE-2021-41246
Description
Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
express-openid-connectnpm | >= 2.3.0, < 2.5.2 | 2.5.2 |
Affected products
2- Range: >= 2.3.0, < 2.5.2
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7rg2-qxmf-hhx9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41246ghsaADVISORY
- github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430fghsax_refsource_MISCWEB
- github.com/auth0/express-openid-connect/releases/tag/v2.5.2ghsax_refsource_MISCWEB
- github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.