AIKIDO-2024-10482

supertokens-node is vulnerable to Use of Single-factor Authentication

Use of Single-factor Authentication Pre-CVE Published Nov 27, 2024

Low Risk

This Affects:

supertokens-node

17.0.0 - 17.1.4

Fixed in 17.1.5

18.0.0 - 18.0.2

Fixed in 18.0.3

19.0.0 - 19.0.1

Fixed in 19.0.2

20.0.0 - 20.1.5

Fixed in 20.1.6

21.0.0 - 21.0.0

Fixed in 21.1.0

Are you affected? Scan for Free

TL;DR

Affected versions of this package fail to validate the MFA (Multi-Factor Authentication) claim before allowing the removal of a TOTP (Time-Based One-Time Password) device. This vulnerability can allow attackers to bypass multi-factor authentication protections and disable a user's TOTP device without proper verification.

Who does this affect?

You are affected if you are using a version which is within vulnerability ranges

Background info

supertokens-node is vulnerable to Use of Single-factor Authentication in versions 17.0.0 - 17.1.4, 18.0.0 - 18.0.2, 19.0.0 - 19.0.1, 20.0.0 - 20.1.5 and 21.0.0 - 21.0.0.