CVE-2024-35220: @fastify/session reuses destroyed session cookie

May 21, 2024

When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed.

References

github.com/advisories/GHSA-pj27-2xvp-4qxg
github.com/fastify/session
github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
github.com/fastify/session/issues/251
github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg
nvd.nist.gov/vuln/detail/CVE-2024-35220

Detect and mitigate CVE-2024-35220 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →