CVE-2024-42475
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-42475
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-42475.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-42475
- Aliases
-
- GHSA-332c-q46h-fg8f
- Published
- 2024-08-15T18:40:49.750Z
- Modified
- 2025-12-01T09:05:59.760042Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- OAuth library for nim allows insecure generation of state values by generateState - entropy too low and uses regular PRNG instead of CSPRNG
- Details
-
In the OAuth library for nim prior to version 0.11, the
statevalues generated by thegenerateStatefunction do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected resources. Whilestateisn't exactly a cryptographic value, it should be generated in a cryptographically secure way.generateStateshould be using a CSPRNG. Version 0.11 modifies thegenerateStatefunction to generatestatevalues of at least 128 bits of entropy while using a CSPRNG. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-330", "CWE-352" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42475.json" }- References
-
- https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L179
- https://github.com/CORDEA/oauth/security/advisories/GHSA-332c-q46h-fg8f
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42475.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-42475