Skip to main content

Passport

4 CVEs product

Monthly

CVE-2026-39976 PHP HIGH PATCH GHSA This Week

Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.

Authentication Bypass Passport
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2023-29020 npm MEDIUM PATCH This Month

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Passport
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-29019 npm HIGH PATCH This Week

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Passport
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2022-25896 npm MEDIUM PATCH This Month

This affects the package passport before 0.6.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Session Fixation Information Disclosure Passport
NVD GitHub
CVSS 3.1
4.8
EPSS
1.0%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.

Authentication Bypass Passport
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Passport
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Passport
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

This affects the package passport before 0.6.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Session Fixation Information Disclosure Passport
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy