Medium severity6.5NVD Advisory· Published Aug 15, 2024· Updated Apr 15, 2026

CVE-2024-42475

Description

In the OAuth library for nim prior to version 0.11, the state values generated by the generateState function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected resources. While state isn't exactly a cryptographic value, it should be generated in a cryptographically secure way. generateState should be using a CSPRNG. Version 0.11 modifies the generateState function to generate state values of at least 128 bits of entropy while using a CSPRNG.

Patches

ec2e058fc46f

https://github.com/cordea/oauthvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000