CVE-2022-24794

Description

### Impact Users of the `requiresAuth` middleware, either directly or through the default `authRequired` option, are vulnerable to an Open Redirect when the middleware is applied to a catch all route. If all routes under `example.com` are protected with the `requiresAuth` middleware, a visit to `http://example.com//google.com` will be redirected to `google.com` after login because the original url reported by the Express framework is not properly sanitised. ### Am I affected? You are affected by this vulnerability if you are using the `requiresAuth` middleware on a catch all route or the default `authRequired` option and `express-openid-connect` version `<=2.7.1`. ### How to fix that? Upgrade to version `>=2.7.2` ### Will this update impact my users? The fix provided in the patch will not affect your users.

How to fix CVE-2022-24794

To remediate CVE-2022-24794, upgrade the affected package to a fixed version below.

• —upgrade to 2.7.2 or later

Is CVE-2022-24794 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.7.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24794
• PATCHgithub.com/auth0/express-openid-connect
• WEBgithub.com/auth0/express-openid-connect/commit/0947b92164a2c5f661ebcc183d37e7f21de719ad
• WEBgithub.com/auth0/express-openid-connect/security/advisories/GHSA-7p99-3798-f85c