Login Sign Up

CVE-2022-24794

7.5 HIGH
Authentication Bypass Open Redirect

📋 TL;DR

This vulnerability in Express OpenID Connect middleware allows attackers to redirect users to malicious websites after authentication. It affects users who apply the 'requiresAuth' middleware to catch-all routes in Express web applications. The issue occurs because the middleware doesn't properly sanitize URLs before redirecting users after login.

💻 Affected Systems

Products:
  • Express OpenID Connect
Versions: All versions prior to 2.7.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects configurations where 'requiresAuth' middleware is applied to catch-all routes, either directly or through the default 'authRequired' option.

📦 What is this software?

Express Openid Connect by Auth0

View all CVEs affecting Express Openid Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect authenticated users to phishing sites that steal credentials or deliver malware, potentially leading to account compromise or system infection.

🟠

Likely Case

Attackers trick users into visiting crafted URLs that redirect them to malicious sites after login, enabling phishing attacks or credential harvesting.

🟢

If Mitigated

With proper URL validation and patching, redirects only go to trusted domains within the application's control.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (visiting a crafted URL) but doesn't require authentication. The vulnerability is simple to exploit once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.2

Vendor Advisory: https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7p99-3798-f85c

Restart Required: Yes

Instructions:

1. Update package.json to require 'express-openid-connect' version '^2.7.2'. 2. Run 'npm update express-openid-connect'. 3. Restart your Express application.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Implement application-level URL validation to ensure redirects only go to trusted domains
  • Use route-specific middleware instead of catch-all routes for authentication

🔍 How to Verify

Check if Vulnerable:

Check if your Express application uses express-openid-connect version <2.7.2 and applies requiresAuth middleware to catch-all routes.

Check Version:

npm list express-openid-connect

Verify Fix Applied:

Verify the package.json shows express-openid-connect version >=2.7.2 and test that crafted URLs with double slashes don't redirect to external domains.

📡 Detection & Monitoring

Log Indicators:

  • Unusual redirect patterns in authentication logs
  • Requests containing double slashes followed by external domains

Network Indicators:

  • HTTP 302 redirects to unexpected external domains after authentication

SIEM Query:

source="auth_logs" AND (url="*//*" AND redirect_domain NOT IN allowed_domains)

📊 Metadata

CVE ID: CVE-2022-24794
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
CWE: CWE-601
Published: March 31, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24794, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)