CVE-2022-24794: Security Update for Express OpenID Connect Library

Published: March 30, 2022

CVE number: CVE-2022-24794

Overview

Users of the requiresAuth middleware, either directly or through the default authRequired option, are vulnerable to an Open Redirect when the middleware is applied to a catch all route.

If all routes under example.com are protected with the requiresAuth middleware, a visit to http://example.com//google.com will be redirected to google.com after login because the original url reported by the Express framework is not properly sanitised.

Am I affected?

You are affected by this vulnerability if you are using the requiresAuth middleware on a catch all route or the default authRequired option and express-openid-connect version <=2.7.1.

How to fix that?

Upgrade to version >=2.7.2

Will this update impact my users?

The fix provided in the patch will not affect your users.