CVE-2020-7787 – CVE-2020-7787 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2020-7787?

CVE-2020-7787 has a CVSS score of 8.2 (HIGH). CVE-2020-7787 is an authentication bypass vulnerability in react-adal where specially crafted JWT tokens with empty nonce values can be accepted as authentic due to improper storage validation. This affects all applications using react-adal for Azure Active Directory authentication. Attackers could impersonate legitimate users and gain unauthorized access to protected resources.

📋 TL;DR

CVE-2020-7787 is an authentication bypass vulnerability in react-adal where specially crafted JWT tokens with empty nonce values can be accepted as authentic due to improper storage validation. This affects all applications using react-adal for Azure Active Directory authentication. Attackers could impersonate legitimate users and gain unauthorized access to protected resources.

💻 Affected Systems

Products:

react-adal

Versions: All versions before the fix

Operating Systems: All platforms running JavaScript/Node.js applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using react-adal for Azure AD authentication. The vulnerability is in the client-side JavaScript library.

📦 What is this software?

React Adal by React Adal Project

View all CVEs affecting React Adal →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover allowing attackers to access sensitive data, perform privileged actions, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access to user accounts and application data, leading to data breaches and privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation, strong monitoring, and multi-factor authentication in place.

🌐 Internet-Facing: HIGH - Web applications using react-adal for authentication are directly exposed to this vulnerability.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but may have additional network controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to obtain or craft a JWT token and trigger the authentication callback with empty session parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions with the fix from GitHub pull request #115

Vendor Advisory: https://github.com/salvoravida/react-adal/pull/115

Restart Required: Yes

Instructions:

1. Update react-adal to the latest version. 2. Rebuild and redeploy your application. 3. Clear browser storage for affected users. 4. Test authentication flows thoroughly.

🔧 Temporary Workarounds

Implement server-side token validation

all

Add additional server-side validation of JWT tokens beyond what react-adal provides

Use alternative authentication library

all

Migrate to a maintained alternative like MSAL.js for Azure AD authentication

🧯 If You Can't Patch

Implement strict network controls and WAF rules to monitor for authentication anomalies
Enable enhanced logging and monitoring for authentication events and failed attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json for react-adal version and verify if it's before the fix from PR #115

Check Version:

npm list react-adal

Verify Fix Applied:

Verify react-adal version is updated and test authentication with various token scenarios

📡 Detection & Monitoring

Log Indicators:

Authentication attempts with empty session parameters
Unusual authentication patterns from same user
Multiple failed authentication attempts followed by success

Network Indicators:

HTTP requests with crafted callback URLs containing empty session parameters
Unusual JWT token patterns in authentication flows

SIEM Query:

source="application_logs" AND (message CONTAINS "empty session" OR message CONTAINS "authentication bypass" OR message CONTAINS "CVE-2020-7787")

📊 Metadata

CVE ID: CVE-2020-7787

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-287

Published: December 9, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/salvoravida/react-adal/pull/115 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-REACTADAL-1018907 Exploit,Third Party Advisory
https://github.com/salvoravida/react-adal/pull/115 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-REACTADAL-1018907 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7787, you might also want to check these: