Intel

AIKIDO-2026-324914

@microsoft/teams-js is vulnerable to Origin Validation Error

Origin Validation Error Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

65

Medium Risk

This Affects:

JS@microsoft/teams-js
2.20.0 - 2.53.0
Fixed in 2.53.1
Are you affected? Scan for Free

TL;DR

The processAuthBridgeMessage handler in the nested app authentication bridge guards message processing with an origin check, but it evaluates the asynchronous shouldProcessIncomingMessage function by negating its returned promise instead of awaiting the resolved boolean. Because a promise object is always truthy, the if (!...) guard never rejects, so the handler processes nested app auth bridge messages regardless of whether the origin is in the allowlist or the message comes from the same window. An attacker able to post a crafted message to the app window can have forged authentication bridge responses processed, defeating origin validation. The fix awaits verifyIncomingMessageOrigin and continues only when it resolves to true, otherwise the message is ignored.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the nested app authentication bridge.

Background info

@microsoft/teams-js is vulnerable to Origin Validation Error in versions 2.20.0 - 2.53.0.

How to fix this

Upgrade the @microsoft/teams-js library to the patch version.