Hexpm Privilege Escalation Vulnerability via Incorrect OAuth Scope Validation

A privilege escalation vulnerability has been identified in Hexpm's OAuth implementation, specifically in the 'Elixir.HexpmWeb.API.OAuthController' module. This vulnerability arises from incorrect authorization handling, allowing an API key with read-only permissions (domain: 'api', resource: 'read') to be escalated to full write access under certain conditions. When a read-only API key is exchanged through the OAuth client_credentials grant, the resource qualifier is overlooked, resulting in a JSON Web Token (JWT) that carries the broad 'api' scope instead of the expected 'api:read' scope. Consequently, this token is treated as having full API access. An attacker who obtains a victim's read-only API key and a valid two-factor authentication (TOTP) code can exploit this vulnerability to create a new API key with unrestricted permissions, enabling write operations such as publishing or modifying packages.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling a user with a read-only API key to gain full write access and perform unrestricted operations on the API, including sensitive actions like publishing or modifying packages.

Reproduction

To reproduce this vulnerability, first obtain a read-only API key from a victim's account, along with a valid TOTP code. Then, use the OAuth client_credentials grant to exchange the API key for a JWT. The resulting token will have the broad 'api' scope, instead of 'api:read'. This token can then be used to create a new API key with full access rights, which does not expire by default and can be used to perform write operations on the API.

Remediation

Users should revoke and reissue any exposed API keys if compromise is suspected. After the vulnerability was identified, the scope validation logic was corrected to ensure that the resource field is properly respected. Instructions for updating to the patched version can be found in the Hexpm repository.