CVE-2024-35220

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
GitHub_MCNA
7.4 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Common Weakness Enumeration
References
https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
https://github.com/fastify/session/issues/251
https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg
https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
https://github.com/fastify/session/issues/251
https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg