CVE-2021-41580

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41580

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41580.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-41580

Aliases

GHSA-f794-r6xc-hf3v

Published

2021-09-27T07:15:06.803Z

Modified

2025-11-20T11:54:23.110013Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability

Database specific

{
    "isDisputed": true
}

References

Affected packages

Git / github.com/jaredhanson/passport-oauth2

Affected ranges

Type: GIT
Repo: https://github.com/jaredhanson/passport-oauth2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8e3bcdff145a2219033bd782fc517229fe3e05ea

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0