CVE-2023-28131

Summary

A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).

Affected Software

VendorProductVersion RangeStatus
Expo.ioExpo AuthSession moduleAll versions prior to SDK 48.* (Affected SDK 45.*, 46.* and 47.*)affected

Weaknesses

  • The use of AuthSession modules’s useProxy in Expo below SDK 48 may allow OAuth hijacking, which leads to credentials theft and Account Takeover.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References