CVE-2021-41580
CVE-2021-41580 is a medium-severity vulnerability in Passportjs Passport-oauth2 with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 1% (66th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Passportjs Passport-oauth2
- Published:
- Last modified:
Description
The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability
Frequently asked questions
- What is CVE-2021-41580?
- The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability
- How severe is CVE-2021-41580?
- CVE-2021-41580 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2021-41580 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (66th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-41580?
- CVE-2021-41580 affects Passportjs Passport-oauth2. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-41580?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-41580 published?
- CVE-2021-41580 was published on 2021-09-27 and last updated on 2026-06-17.
References
- https://github.com/jaredhanson/passport-oauth2/commit/8e3bcdff145a2219033bd782fc517229fe3e05ea
- https://github.com/jaredhanson/passport-oauth2/compare/v1.6.0...v1.6.1
- https://github.com/jaredhanson/passport-oauth2/pull/144
Affected products (1)
- cpe:2.3:a:passportjs:passport-oauth2:*:*:*:*:*:node.js:*:*