Описание
@fastify/session reuses destroyed session cookie
Impact
When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed.
Patches
Updating to v10.9.0 will solve this.
Workarounds
None
References
Publicly reported at: https://github.com/fastify/session/issues/251
Пакеты
Наименование
@fastify/session
npm
Затронутые версииВерсия исправления
< 10.9.0
10.9.0
Связанные уязвимости
CVSS3: 7.4
nvd
больше 1 года назад
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0.