@node-oauth/oauth2-server PKCE Verifier Validation Vulnerability Allowing Authorization Code Brute-Forcing

A vulnerability exists in the @node-oauth/oauth2-server module for Node.js, specifically in versions through 5.2.1. The issue arises in the token exchange process, where the server accepts invalid code_verifier values for S256 PKCE flows. This flaw allows an attacker who intercepts an authorization code to brute-force code_verifier guesses online, exploiting the fact that weak verifiers are accepted and failed attempts do not consume the authorization code.

Impact

This vulnerability allows an intercepted authorization code to be redeemed by brute-forcing low-entropy verifiers that should have been rejected, thereby weakening the PKCE protection mechanism and enabling token theft.

Reproduction

To reproduce this vulnerability, first obtain an authorization code with a one-character code challenge, which is invalid according to RFC7636. After intercepting the authorization code, send repeated token requests with guessed code_verifier values. The server will respond with 'invalid_grant' for incorrect guesses. Once a valid guess is found, the server will issue tokens, demonstrating successful exploitation.

Remediation

Users are advised to update to version 5.3.0 or later, where this vulnerability has been patched.