Skip to content

URL Redirection to Untrusted Site ('Open Redirect') in @okta/oidc-middleware

Moderate
robertdamphousse-okta published GHSA-58h4-9m7m-j9m4 Jan 5, 2023

Package

npm @okta/oidc-middleware (npm)

Affected versions

<5.0.0

Patched versions

>=5.0.0

Description

An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.

Affected products and versions
Okta OIDC Middleware prior to version 5.0.0.

Resolution
The vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later.

CVE details
CVE ID: CVE-2022-3145
Published Date: 01/05/2023
Vulnerability Type: Open Redirect
CWE: CWE-601
CVSS v3.1 Score: 4.3
Severity: Medium
Vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Severity Details
To exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site.

Acknowledgements
Okta would like to thank Jasu Viding for reporting this vulnerability.

References
https://github.com/okta/okta-oidc-middleware

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2022-3145

Weaknesses

Credits