Passport
Monthly
Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
This affects the package passport before 0.6.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.
Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
This affects the package passport before 0.6.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.