Login Sign Up

CVE-2023-28131

9.6 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in the expo.io framework allows attackers to hijack user accounts and steal credentials when victims click malicious links. It affects applications using Expo's AuthSession Redirect Proxy for social sign-in authentication. Developers who implemented this specific configuration are at risk.

💻 Affected Systems

Products:
  • Expo framework
  • Applications using Expo AuthSession Redirect Proxy
Versions: Versions using AuthSession with useProxy option configured
Operating Systems: All platforms supported by Expo (iOS, Android, web)
Default Config Vulnerable: ✅ No
Notes: Only affects applications that explicitly configured the AuthSession Redirect Proxy for social authentication flows.

📦 What is this software?

Expo Software Development Kit by Expo

View all CVEs affecting Expo Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to credential theft, unauthorized access to user data, and potential lateral movement within affected applications.

🟠

Likely Case

Attackers steal user credentials and gain unauthorized access to accounts, potentially compromising personal data and application functionality.

🟢

If Mitigated

With proper controls and patching, the risk is eliminated as the vulnerability is addressed at the framework level.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is straightforward once the link is accessed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Expo SDK 48.0.0 and later

Vendor Advisory: https://blog.expo.dev/security-advisory-for-developers-using-authsessions-useproxy-options-and-auth-expo-io-e470fe9346df

Restart Required: Yes

Instructions:

1. Update Expo SDK to version 48.0.0 or later. 2. Update all dependencies. 3. Rebuild and redeploy applications. 4. Test authentication flows thoroughly.

🔧 Temporary Workarounds

Disable AuthSession Redirect Proxy

all

Temporarily disable the vulnerable AuthSession Redirect Proxy configuration

Remove or comment out useProxy configuration in AuthSession setup

🧯 If You Can't Patch

  • Implement additional authentication validation layers
  • Monitor for suspicious authentication attempts and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check if your application uses Expo AuthSession with useProxy option configured for social authentication

Check Version:

expo --version or check package.json for expo version

Verify Fix Applied:

Verify Expo SDK version is 48.0.0 or later and test authentication flows

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Multiple failed login attempts from same IP
  • Authentication requests with unexpected redirect URLs

Network Indicators:

  • Suspicious redirect patterns in OAuth flows
  • Authentication requests to unexpected domains

SIEM Query:

auth_provider="expo" AND (redirect_url CONTAINS suspicious_domain OR auth_attempts > threshold)

📊 Metadata

CVE ID: CVE-2023-28131
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-522
Published: April 24, 2023
Last Updated: February 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28131, you might also want to check these:

CVE-2024-51545 10.0

This CVE describes a username enumeration vulnerability in ABB industrial control system products th...

Same vulnerability type (CWE-522)
CVE-2021-30116 10.0

CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated a...

Same vulnerability type (CWE-522)
CVE-2025-0867 9.9

This vulnerability allows standard users to execute commands with administrative privileges through ...

Same vulnerability type (CWE-522)