Pocket Id
Monthly
Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. Publicly available exploit code exists via GitHub security advisory GHSA-w6p7-2fxx-4f44. Attack requires low privileges and user interaction (CVSS 8.5) but enables persistent unauthorized access even after administrative revocation actions. Fixed in version 2.6.0.
Pocket ID versions prior to 2.4.0 fail to properly validate authorization codes at the OIDC token endpoint, enabling attackers with valid credentials to exchange codes across different clients or reuse expired codes. This authentication bypass affects any service relying on Pocket ID for passkey-based authentication and allows token acquisition without proper authorization. Public exploit code exists for this vulnerability, and no patch is currently available.
Pocket ID versions 2.0.0 through 2.3.x suffer from improper callback URL validation that allows attackers to bypass redirect URI restrictions using URL userinfo characters (@), enabling authorization code interception. An attacker can craft a malicious authorization link to redirect authentication codes to an attacker-controlled server if a user is tricked into clicking it. Public exploit code exists for this vulnerability, and no patch is currently available.
Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. Publicly available exploit code exists via GitHub security advisory GHSA-w6p7-2fxx-4f44. Attack requires low privileges and user interaction (CVSS 8.5) but enables persistent unauthorized access even after administrative revocation actions. Fixed in version 2.6.0.
Pocket ID versions prior to 2.4.0 fail to properly validate authorization codes at the OIDC token endpoint, enabling attackers with valid credentials to exchange codes across different clients or reuse expired codes. This authentication bypass affects any service relying on Pocket ID for passkey-based authentication and allows token acquisition without proper authorization. Public exploit code exists for this vulnerability, and no patch is currently available.
Pocket ID versions 2.0.0 through 2.3.x suffer from improper callback URL validation that allows attackers to bypass redirect URI restrictions using URL userinfo characters (@), enabling authorization code interception. An attacker can craft a malicious authorization link to redirect authentication codes to an attacker-controlled server if a user is tricked into clicking it. Public exploit code exists for this vulnerability, and no patch is currently available.