CVE-2020-26938: Multiple Security Vulnerabilities in Auth and Token Endpoint · Issue #637 · oauthjs/node-oauth2-server

I would like to report several security vulnerabilities that I found while using this OAuth server library.

The vulnerabilities and their consequences are listed as following:

Vulnerability 1: Missing PKCE support for public clients.

Consequences: As specified in RFC-7636 (https://tools.ietf.org/html/rfc7636), public clients (e.g., mobile/desktop apps) using Authorization Code Flow are susceptible to authorization code interception attack and PKCE is recommended to mitigate this attack. Since public clients cannot maintain client-side confidentiality regarding client secrets, such attacks have been noticed in the wild extensively.

Vulnerability 2: Does not revoke previously issued token if authorization_code is used more than once.

Consequences: As specified in RFC-6749 (https://tools.ietf.org/html/rfc6749#section-4.1.2), If an authorization code is used more than once, the authorization server must deny the request and should revoke all tokens previously issued based on that authorization code. Though OAuth2-server currently denies the request in such cases, it doesn’t revoke the tokens issued previously to the client, which leaves the user’s resources vulnerable as attackers might exploit the previous tokens to get them.

Vulnerability 3: Allows fragment in the redirect URI.

Consequences: Many OAuth attacks regarding misuse of redirect uris have been observed in the wild. As specified in the RFC-6749 (https://tools.ietf.org/html/rfc6749#section-3.1.2), authorization server should not allow fragments in the redirect uri as it allows the attackers to exploit the redirect uri and hence intercept the auth_code/token.

Any comments or fixes regarding these vulnerabilities?

Thank you.