Advisories for Npm/@Cedar-Policy/Authorization-for-Expressjs package

2026

@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation

@cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under certain circumstances, the middleware matches incoming requests against Cedar action mappings using req.originalUrl, which includes the query string, while Express routes requests using only the path component.