Medium severity6.5OSV Advisory· Published Aug 15, 2024· Updated Apr 15, 2026
CVE-2024-42475
CVE-2024-42475
Description
In the OAuth library for nim prior to version 0.11, the state values generated by the generateState function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected resources. While state isn't exactly a cryptographic value, it should be generated in a cryptographically secure way. generateState should be using a CSPRNG. Version 0.11 modifies the generateState function to generate state values of at least 128 bits of entropy while using a CSPRNG.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.