GHSA-jcjx-c3j3-44pr – @cyyynthia/tokenize

Package

Manager: npm
Name: @cyyynthia/tokenize
Vulnerable Version: >=1.1.0 <1.1.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Insufficient Session Expiration in @cyyynthia/tokenize ### Impact A bug introduced in version 1.1.0 made Tokenize generate faulty tokens with NaN as a generation date. As a result, tokens would not properly expire and remain valid regardless of the `lastTokenReset` field. ### Patches Version 1.1.3 contains a patch that'll invalidate these faulty tokens and make new ones behave as expected. ### Workarounds None. Tokens do not hold the necessary information to perform invalidation anymore. ### References PR #1 ### For more information If you have any questions or comments about this advisory: * Open an issue in [github.com/cyyynthia/tokenize](https://github.com/cyyynthia/tokenize) * Email us at [cynthia@cynthia.dev](mailto:cynthia@cynthia.dev)

Metadata

Created: 2021-11-10T16:44:12Z
Modified: 2021-11-08T21:09:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-jcjx-c3j3-44pr/GHSA-jcjx-c3j3-44pr.json
CWE IDs: ["CWE-613"]
Alternative ID: N/A
Finding: F076
Auto approve: 1