Severity: high

    Code Injection



    oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.'"


    Avoid using oauth2-server as there is no current safe version of this module

    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      May 4th, 2021
    2. reported

      Reported by Anonymous
      May 4th, 2021