Nhost Auth Service OAuth Callback Refresh Token Exposure Vulnerability

A vulnerability in the Nhost auth service's OAuth provider callback flow prior to version 0.48.0 allows refresh tokens to be leaked via the redirect URL as a query parameter. This exposure occurs because URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. The refresh token, which is one-time use, can be intercepted and used to generate new access tokens, leading to session hijacking.

Impact

Exploitation of this vulnerability allows for session hijacking by intercepting the refresh token before it is consumed, enabling the generation of new access tokens. The vulnerability also introduces multiple leak vectors on owned infrastructure and integrated services, including browser history, HTTP Referer headers (mitigated by modern browser default referrer policies), server access logs, and proxy/CDN/WAF logs.

Reproduction

To reproduce this vulnerability, initiate an OAuth login by sending a request to the sign-in endpoint of the desired provider, including a redirect URL. After completing the OAuth flow, the auth service will redirect to the specified URL with the refresh token appended as a query parameter. This token will then be logged in the browser history, HTTP Referer header (if any external resources are loaded), and the server access logs.

Remediation

Users can update to Nhost version 0.48.0 or later, where this vulnerability has been fixed. Instructions for updating can be found in the Nhost documentation.