CVE-2024-42476

Vulnerability

Overview

In the OAuth library for Nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the state parameter to prevent cross-site request forgery (CSRF) attacks. However, the library checks this parameter using a plain assert statement (see [1], [2]). According to Nim's documentation, assertions are disabled when compiling with -d:danger or --assertions:off, which are typical for release builds. Consequently, no code is generated for the assert statement, meaning the state parameter is never validated ([3]).

Exploitation

An attacker can exploit this vulnerability by crafting a CSRF attack that does not require a valid state parameter. Since the state check is entirely omitted in release builds, the resource owner's session can be associated with protected resources belonging to the attacker. This attack is particularly effective in a cross-origin context, where the attacker tricks the victim into completing an OAuth flow without proper state validation.

Impact

Successful exploitation allows an attacker to perform actions on behalf of the victim without their consent, potentially compromising the victim's account or sensitive data. The vulnerability has a CVSS score of 6.5 (Medium), indicating a significant risk in scenarios where release builds are deployed.

Mitigation

The issue is fixed in version 0.11 of the library. The maintainers replaced the assert with a regular if statement or doAssert, which are not affected by compiler flags that disable assertions ([3]). Users should update to version 0.11 or later to eliminate the CSRF vulnerability.