CVE-2026-41213
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| node-oauth | node-oauth2-server | < 5.3.0 | affected |
Weaknesses
- CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts
- CWE-1289: CWE-1289: Improper Validation of Unsafe Equivalence in Input
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.