CVE-2023-31999

Public Exploit

Description

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.

Category

8.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.86% Top 30%
Affected: npm @fastify/oauth2
Published at:
Updated at:

References

Link Tags
https://hackerone.com/reports/2020418 permissions required
https://auth0.com/docs/secure/attack-protection/state-parameters exploit
https://github.com/fastify/fastify-oauth2/releases/tag/v7.2.0 release notes

Frequently Asked Questions

What is the severity of CVE-2023-31999?
CVE-2023-31999 has been scored as a high severity vulnerability.
How to fix CVE-2023-31999?
To fix CVE-2023-31999, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-31999 being actively exploited in the wild?
It is possible that CVE-2023-31999 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-31999?
CVE-2023-31999 affects npm @fastify/oauth2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.