Roadiz OpenID Package Nonce Validation Vulnerability Allowing ID Token Replay Attacks

A vulnerability exists in the Roadiz OpenID package versions prior to 2.3.43, 2.5.45, 2.6.31, and 2.7.18, where the OIDC nonce is generated and included in the authorization request to the identity provider but is never stored or validated upon callback. This oversight allows for ID token replay attacks, as the nonce claim in the ID token is not cross-checked against a stored value, enabling intercepted tokens to be reused for authentication.

Impact

Exploitation of this vulnerability allows for ID token replay attacks, where valid but intercepted tokens can be reused for authentication within their validity period. Additionally, it could lead to token injection attacks, where a malicious or compromised identity provider injects tokens across sessions without detection.

Reproduction

To reproduce this vulnerability, obtain a valid ID token from a legitimate OIDC flow for a target user. This can be done through network interception, a browser history leak, or by exploiting referrer header exposure on a non-HTTPS redirect. Once the ID token is obtained, it can be replayed for authentication, as the application does not validate the nonce claim against a stored value.

Remediation

Users can update to Roadiz OpenID package versions 2.3.43, 2.5.45, 2.6.31, or 2.7.18 to address this vulnerability.