<p>Upgrade <code>otpauth</code> to version 3.2.8 or higher.</p>

Authentication Bypass Affecting otpauth package, versions <3.2.8

Snyk CVSS

Attack Complexity Low

Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-OTPAUTH-451697
published 23 Jul 2019
disclosed 22 Jul 2019
credit Henrik Sommerland

Report a new vulnerability Found a mistake?

Introduced: 22 Jul 2019

CWE-287 Open this link in a new tab

How to fix?

Upgrade otpauth to version 3.2.8 or higher.

Overview

otpauth is an One Time Password (HOTP/TOTP) authentication library for Node.js and browser.

Affected versions of this package are vulnerable to Authentication Bypass. The totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.

References

GitHub Commit
GitHub Issue
NPM Security Advisory