Sentry OAuth Race Condition Vulnerability Allowing Token Mismanagement

A vulnerability exists in Sentry's OAuth implementation, prior to version 25.5.0, allowing an attacker to exploit a race condition and improper authorization code handling. This exploitation can lead to unauthorized persistence in a user's account. By orchestrating timed requests and redirect flows, an attacker could generate multiple authorization codes, exchanging them for access and refresh tokens, even after the application was de-authorized. This issue has been addressed in Sentry version 25.5.0.

Impact

The vulnerability allows for unauthorized access to a user's account by mismanaging OAuth authorization codes, enabling an attacker to obtain access and refresh tokens without proper authorization.

Reproduction

To reproduce this vulnerability, an attacker must register a malicious OAuth application with Sentry and have it authorized by a user. Once authorized, the attacker can exploit the race condition by sending multiple, specially timed requests that generate overlapping authorization codes. These codes can then be exchanged for access and refresh tokens, creating unauthorized access to the user's account.

Remediation

Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action.