CVE-2021-41246

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue.
Configurations

Configuration 1

cpe:2.3:a:auth0:express_openid_connect:*:*:*:*:*:node.js:*:*

Information

Published : 2021-12-09 04:15

Updated : 2021-12-14 12:40


NVD link : CVE-2021-41246

Mitre link : CVE-2021-41246

Products Affected
No products.
CWE
CWE-384

Session Fixation