@microsoft/teams-js is vulnerable to Origin Validation Error
65
Medium Risk
The processAuthBridgeMessage handler in the nested app authentication bridge guards message processing with an origin check, but it evaluates the asynchronous shouldProcessIncomingMessage function by negating its returned promise instead of awaiting the resolved boolean. Because a promise object is always truthy, the if (!...) guard never rejects, so the handler processes nested app auth bridge messages regardless of whether the origin is in the allowlist or the message comes from the same window. An attacker able to post a crafted message to the app window can have forged authentication bridge responses processed, defeating origin validation. The fix awaits verifyIncomingMessageOrigin and continues only when it resolves to true, otherwise the message is ignored.
You are affected if you are using a version that falls within the vulnerable range and your application uses the nested app authentication bridge.
@microsoft/teams-js is vulnerable to Origin Validation Error in versions 2.20.0 - 2.53.0.
Upgrade the @microsoft/teams-js library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant