Improper Authentication Affecting express-laravel-passport package, versions *
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-EXPRESSLARAVELPASSPORT-540726
- published 5 Jan 2020
- disclosed 4 Jan 2020
- credit ermilov
How to fix?
There is no fixed version for express-laravel-passport.
Overview
express-laravel-passport is a small middleware support getting user_id from Bearer header with laravel structure database
Affected versions of this package are vulnerable to Improper Authentication. The module defined to handle authentication but does not validate the JWT token sent by the user. Therefore it allows modifying payload within the token. It provides an opportunity to forge the user's identity by changing the information inside the token's payload that is used to authenticate the client.