GMS-2020-419: Authentication Bypass in otpauth

September 3, 2020 (updated September 29, 2021)

Versions of otpauth are vulnerable to Authentication Bypass. The package’s totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.

References

github.com/advisories/GHSA-rmmc-8cqj-hfp3
www.npmjs.com/advisories/1087

Detect and mitigate GMS-2020-419 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →