CVE-2024-35220
📋 TL;DR
This vulnerability in @fastify/session prevents proper session expiration when cookies have maxAge set. When restoring sessions from the store, the expires field gets overridden, causing expired sessions to remain active indefinitely. This affects all applications using @fastify/session with maxAge configuration.
💻 Affected Systems
- @fastify/session
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack expired sessions to gain unauthorized access to user accounts, potentially leading to data breaches, privilege escalation, or account takeover.
Likely Case
Session persistence beyond intended expiration, allowing unauthorized access to user sessions that should have been terminated.
If Mitigated
Limited impact with proper session validation and additional authentication layers, but still presents session management flaws.
🎯 Exploit Status
Exploitation requires access to session cookies, but the vulnerability makes session hijacking easier by extending session validity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.8.0
Vendor Advisory: https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg
Restart Required: Yes
Instructions:
1. Update @fastify/session to version 10.8.0 or later using npm update @fastify/session. 2. Restart your Fastify application. 3. Verify the fix by testing session expiration behavior.
🔧 Temporary Workarounds
Manual session cleanup
allImplement custom session validation to check expiration independently of cookie handling
Disable maxAge
allRemove maxAge configuration and rely on other session timeout mechanisms
🧯 If You Can't Patch
- Implement additional session validation middleware to manually check expiration timestamps
- Reduce session timeout values and implement forced re-authentication for sensitive operations
🔍 How to Verify
Check if Vulnerable:
Check package.json for @fastify/session version. If version is below 10.8.0 and maxAge is configured, the system is vulnerable.Check Version:
npm list @fastify/sessionVerify Fix Applied:
Test session expiration by creating a session with maxAge, waiting for expiration, and verifying the session is properly destroyed.📡 Detection & Monitoring
Log Indicators:
- Unusually long session durations
- Session restoration attempts after expiration time
Network Indicators:
- Session cookies being used beyond their intended lifetime
SIEM Query:
Search for session IDs being used beyond their configured maxAge time period🔗 References
- https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
- https://github.com/fastify/session/issues/251
- https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg
- https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
- https://github.com/fastify/session/issues/251
- https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg
