CVE-2024-42475 Information

Description

In the OAuth library for nim prior to version 0.11 the state values generated by the generateState function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user associating the user’s session with the attacker’s protected resources. While state isn’t exactly a cryptographic value it should be generated in a cryptographically secure way. generateState should be using a CSPRNG. Version 0.11 modifies the generateState function to generate state values of at least 128 bits of entropy while using a CSPRNG.

Reference

https://github.com/CORDEA/oauth/security/advisories/GHSA-332c-q46h-fg8f https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L179