AIKIDO-2025-10931
nuxt-auth-utils is vulnerable to Reliance on Cookies without Validation and Integrity Checking in a Security Decision
71
High Risk
This Affects:
nuxt-auth-utilsTL;DR
Affected versions of this package are vulnerable to Insecure Cookie Configuration in OAuth State and PKCE Handling, where OAuth state and PKCE verifier cookies were set without explicit security options such as httpOnly, secure, and sameSite, making them accessible to JavaScript (increasing XSS risk), transmissible over HTTP (allowing man-in-the-middle interception), and lacking CSRF protection. An attacker could exploit this by injecting malicious scripts to steal these cookies via XSS, eavesdropping on unencrypted connections to capture cookies, or leveraging CSRF to manipulate OAuth flows and potentially compromise user authentication.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
nuxt-auth-utils is vulnerable to Reliance on Cookies without Validation and Integrity Checking in a Security Decision in versions 0.5.17 - 0.5.25.
How to fix this
Upgrade the nuxt-auth-utils library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant