CVE-2022-31013 Information

Description

Chat Server is the chat server for Vartalap an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function as the code is not using await to wait for the verification result. Every time the function responds back with success along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.

Reference

https://github.com/ramank775/chat-server/discussions/78 https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277 https://github.com/ramank775/chat-server/releases/tag/v2.6.0