Moderate severityNVD Advisory· Published Nov 18, 2024· Updated Nov 18, 2024

Session Hijacking in Firebase JavaScript SDK

CVE-2024-11023

Description

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow an actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
firebasenpm	< 10.9.0	10.9.0

Affected products

ghsa-coords
pkg:npm/firebase
Range: < 10.9.0
Firebase/Firebase JavaScript SDKcpe-rescue
Range: 0

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-3wf4-68gx-mph8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-11023ghsaADVISORY
firebase.google.com/support/release-notes/jsghsaWEB
github.com/firebase/firebase-js-sdk/commit/245dd26e19b6c16aca7e1b7e597ed5784c2984baghsaWEB
github.com/firebase/firebase-js-sdk/pull/8056ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000