CVE-2024-35220

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
https://github.com/fastify/session/issues/251
https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg

Configurations

No configuration.

History

21 May 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-21 21:15

Updated : 2024-05-22 12:46

NVD link : CVE-2024-35220

Mitre link : CVE-2024-35220

CVE.ORG link : CVE-2024-35220

JSON object : View

Products Affected

No product.

CWE

CWE-613

Insufficient Session Expiration

7.4 /10