@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport
in affected versions for user authentication, in combination with @fastify/session
as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the @fastify/passport
library for user authentication. The login and user validation are performed by the authenticate
function. When executing this function, the sessionId
is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victims session by tossing a valid sessionId
cookie in the victims browser and waiting for the victim to log in on the website. As a solution, newer versions of @fastify/passport
regenerate sessionId
upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Passport | Fastify | * | 1.1.0 (excluding) |
Passport | Fastify | 2.0.0 (including) | 2.3.0 (excluding) |
Such a scenario is commonly observed when: