Go-PKGZ Auth Patreon OAuth User ID Collision Vulnerability

A vulnerability exists in the Patreon OAuth provider of the Go-PKGZ Auth library, affecting versions 1.18.0 prior to 1.25.2 and 2.0.0 prior to 2.1.2. The issue arises because the provider maps all authenticated Patreon accounts to the same local user ID, instead of creating a unique ID based on the individual Patreon account. This flaw causes all Patreon-authenticated users within an application to be treated as a single identity. As a result, applications that rely on the token.User.ID as a stable account identifier may inadvertently merge or mix unrelated Patreon users, leading to cross-account access, confusion over privileges, and unauthorized sharing of subscription information.

Impact

This vulnerability creates an authentication and identity collision issue within the Patreon provider, allowing all Patreon-authenticated users in the same application to be merged into a single local account. Consequently, data linked to one Patreon user could be accessed by or overwrite data of another user. Additionally, Patreon-specific attributes, such as subscription status, could be improperly shared between unrelated users. If an application grants elevated privileges based on this shared Patreon ID, those privileges would apply to all users authenticated through Patreon.

Reproduction

The vulnerability can be reproduced by using the Patreon OAuth provider in the Go-PKGZ Auth library. After authenticating two different Patreon accounts, the same local user ID will be assigned to both, demonstrating the collision. This can be done by mapping user data that includes distinct Patreon account IDs and verifying that the resulting local IDs are identical.

Remediation

Users can update to Go-PKGZ Auth versions 1.25.2 or 2.1.2, where this vulnerability has been patched.