CVE-2023-29019

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-29019
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-29019.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-29019
Aliases
Published
2023-04-21T22:28:55.045Z
Modified
2025-11-29T14:12:03.043695Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Session fixation in fastify-passport
Details

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the @fastify/passport library for user authentication. The login and user validation are performed by the authenticate function. When executing this function, the sessionId is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid sessionId cookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of @fastify/passport regenerate sessionId upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-384"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/29xxx/CVE-2023-29019.json"
}
References

Affected packages

Git / github.com/fastify/fastify-passport

Affected ranges

Type
GIT
Repo
https://github.com/fastify/fastify-passport
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
628664a0c86f489def6fd2303990ba059cca5417
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/fastify/fastify-passport
Events
Introduced
673e5abc3f342170e65669c023cebb1f5f4b3784
Fixed
30843bc2f201879950311ad422bc57747a98f35f
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.3.0"
        }
    ]
}

Affected versions

v0.*

v0.1.0
v0.2.0
v0.3.0
v0.4.1
v0.5.0

v1.*

v1.0.0
v1.0.1

v2.*

v2.0.0
v2.0.1
v2.1.0
v2.2.0