Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 4c982a94bf6d · 2026-04-16T21:13:02.000Z
GHSA-jhm7-29pj-4xvf GHSA-wqq3-wfmp-v85g
diff --git a/advisories/github-reviewed/2026/04/GHSA-jhm7-29pj-4xvf/GHSA-jhm7-29pj-4xvf.json b/advisories/github-reviewed/2026/04/GHSA-jhm7-29pj-4xvf/GHSA-jhm7-29pj-4xvf.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jhm7-29pj-4xvf",
+  "modified": "2026-04-16T21:09:50Z",
+  "published": "2026-04-16T21:09:50Z",
+  "aliases": [],
+  "summary": "@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes",
+  "details": "## Summary\n\nThe token exchange path accepts RFC7636-invalid `code_verifier` values (including one-character strings) for `S256` PKCE flows.  \nBecause short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force `code_verifier` guesses online until token issuance succeeds.\n\n\n\n### Root cause\n\n1. `lib/pkce/pkce.js` (`getHashForCodeChallenge`) only checks that `verifier` is a non-empty string before hashing for `S256`; it does not enforce RFC7636 ABNF (`43..128` unreserved chars).\n2. `lib/grant-types/authorization-code-grant-type.js` compares `hash(code_verifier)` to stored `codeChallenge` without validating verifier format/length.\n3. In `AuthorizationCodeGrantType.handle`, authorization code revocation happens **after** verifier validation. Invalid guesses fail before revoke, so the same code can be retried repeatedly.\n\n## Steps to Reproduce\n\n### Setup\n\n- PKCE authorization code exists with:\n  - `codeChallengeMethod = \"S256\"`\n  - `codeChallenge = BASE64URL(SHA256(\"z\"))` (verifier is one character, RFC-invalid)\n- Attacker has intercepted the authorization code value.\n\n### Reproduction\n\n1. Send repeated token requests with guessed `code_verifier` values:\n\n```http\nPOST /token HTTP/1.1\nHost: oauth.example\nContent-Type: application/x-www-form-urlencoded\n\ngrant_type=authorization_code&\nclient_id=client1&\nclient_secret=s3cret&\ncode=stolen-auth-code&\nredirect_uri=https://client.example/callback&\ncode_verifier=<guess>\n```\n\n2. Observe invalid guesses return `invalid_grant`.\n3. Continue guessing (`a`..`z`).\n4. When `code_verifier=z`, token issuance succeeds and returns bearer tokens.\n\n### Confirmed PoC output\n\n```text\nBRUTE_FORCE_SUCCESS { tries: 26, guess: 'z', status: 200, tokenIssued: true }\n```\n\n## Impact\n\nAn intercepted authorization code can be redeemed by brute-forcing low-entropy verifiers that the server should have rejected under RFC7636.  \nThis weakens PKCE’s protection goal and allows token theft when clients generate short/predictable verifiers.\n\n## Recommended Fix\n\n1. Enforce `pkce.codeChallengeMatchesABNF(request.body.code_verifier)` in authorization code token exchange before hashing/comparison.\n2. Reject verifier values outside RFC7636 charset/length (`43..128` unreserved).\n3. Invalidate authorization codes on failed verifier attempts (or add strict retry limits) to prevent online guessing.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@node-oauth/oauth2-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.3.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.2.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/node-oauth/node-oauth2-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1289",
+      "CWE-307"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:09:50Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-wqq3-wfmp-v85g/GHSA-wqq3-wfmp-v85g.json b/advisories/github-reviewed/2026/04/GHSA-wqq3-wfmp-v85g/GHSA-wqq3-wfmp-v85g.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wqq3-wfmp-v85g",
+  "modified": "2026-04-16T21:10:17Z",
+  "published": "2026-04-16T21:10:17Z",
+  "aliases": [],
+  "summary": "Mojic: Observable Timing Discrepancy in HMAC Verification",
+  "details": "### Summary\nThe `CipherEngine` in Mojic v2.1.3 uses a standard equality operator (`!==`) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack.\n\n### Details\nIn `lib/CipherEngine.js`, the footer check validates the HMAC signature using a standard string comparison:\n`if (footerHex !== calcDigest) { ... }`\n\nStandard string comparisons in JavaScript short-circuit; they return `false` the moment a character mismatch occurs. Because the time taken to evaluate the comparison is proportional to the number of matching leading bytes, an attacker can measure the exact microseconds it takes for the engine to throw the `FILE_TAMPERED` error. By repeatedly altering the signature byte-by-byte and analyzing these minute timing differences, a malicious actor can theoretically forge a valid HMAC signature without possessing the decryption password.\n\n### PoC\nThe vulnerable implementation is located in `lib/CipherEngine.js`, within the `getDecryptStream()` flush method (approximately line 265):\n\n```javascript\n// Vulnerable Code\nif (footerHex !== calcDigest) {\n    this.emit('error', new Error(\"FILE_TAMPERED\"));\n    return;\n}\n```\n\n### Recommended Remediation:\nReplace the standard equality operator with Node.js's built-in constant-time comparison utility, crypto.timingSafeEqual().\n\n```JavaScript\n// Remediated Code\nconst footerBuffer = Buffer.from(footerHex, 'hex');\nconst calcBuffer = Buffer.from(calcDigest, 'hex');\n\nif (footerBuffer.length !== calcBuffer.length || !crypto.timingSafeEqual(footerBuffer, calcBuffer)) {\n    this.emit('error', new Error(\"FILE_TAMPERED\"));\n    return;\n}\n```\n\n### Impact\nIf successfully exploited, an attacker could tamper with the encrypted .mojic payload and forge a valid HMAC signature. This bypasses the integrity seal, tricking the decryption engine into processing maliciously injected emoji streams. Because the engine translates these emojis back into C keywords and raw data chunks, this could ultimately result in arbitrary Code Injection into the restored .c source code when an unsuspecting user decrypts the tampered file.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "mojic"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.1.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/notamitgamer/mojic"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-208"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:10:17Z",
+    "nvd_published_at": null
+  }
+}
