openapi-backend is vulnerable to Authorization Bypass
68
Medium Risk
openapi-backend authorizes incoming requests by running registered security handlers and inspecting their return values. The request-authorization logic only treats a returned object as a failed check when that object's single key is error, so a rejection object that also carries any other property such as a user or a status code is misread as a successful authorization. An attacker whose credentials are rejected can reach operations that should be denied, because the authorized flag is set on the deny path. The fix treats any object with a truthy error property as a failed authorization regardless of its other properties.
You are affected if you are using a version that falls within the vulnerable range and your security handlers reject requests by returning an object that includes an error property alongside other keys.
openapi-backend is vulnerable to Authorization Bypass in versions 5.5.0 - 5.17.0.
Upgrade the openapi-backend library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant