CVE-2021-41246

Summary

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.

Affected Software

VendorProductVersion RangeStatus
auth0express-openid-connect>= 2.3.0, < 2.5.2affected

Weaknesses

  • CWE-384: CWE-384: Session Fixation

ADP Enrichment

CVE Program Container

Additional References

References