Pocket ID OIDC Provider Improper Authorization Code Validation Vulnerability Allows Cross-Client Token Exchange and Expired Code Reuse

A vulnerability exists in Pocket ID OIDC provider versions through 2.3.0, allowing improper validation of authorization codes at the OIDC token endpoint. The endpoint only rejects an authorization code when both the client ID is incorrect and the code is expired. This flaw enables cross-client code exchange and the reuse of expired authorization codes. The issue is resolved in version 2.4.0.

Impact

This vulnerability allows any OIDC client operator to exchange authorization codes from other clients, obtaining tokens for users who did not authorize that client. Additionally, expired authorization codes can be reused with the correct client until a scheduled cleanup job runs.

Reproduction

To reproduce this vulnerability, first reset the test environment and authorize a test user with both Nextcloud and Immich OIDC clients. Then, exchange an authorization code issued for the Nextcloud client using Immich's credentials. The request will succeed, returning tokens for the Immich client, despite the authorization code being valid only for Nextcloud.

Remediation

Users should update to Pocket ID version 2.4.0 or later.