-
Notifications
You must be signed in to change notification settings - Fork 579
Expand file tree
/
Copy pathGHSA-349c-2h2f-mxf6.json
More file actions
71 lines (71 loc) · 3.26 KB
/
GHSA-349c-2h2f-mxf6.json
File metadata and controls
71 lines (71 loc) · 3.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
{
"schema_version": "1.4.0",
"id": "GHSA-349c-2h2f-mxf6",
"modified": "2026-04-08T19:57:56Z",
"published": "2026-04-08T19:57:55Z",
"aliases": [],
"summary": "Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens",
"details": "### Impact\nAuthentication Bypass for `client_credentials` tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user.\n\n\nUsage of `EnsureClientIsResourceOwner` middleware together with `Passport::$clientUuids` set to `false`, can result in resolving the user instead, as stated in the [documentation](https://laravel.com/docs/13.x/passport#:~:text=The%20underlying%20OAuth2,client%20credentials%20token). \n\n> The [underlying OAuth2 server](https://oauth2.thephpleague.com/database-setup/#:~:text=Please%20note%20that,the%20bearer%20token.) sets the token's sub claim to the client's identifier for client credentials tokens. By default, Passport uses UUIDs for clients, so this cannot collide with a user's integer primary key. However, if you have set Passport::$clientUuids to false, a client credentials token may inadvertently resolve a user whose ID matches the client's ID. In such cases, using this middleware cannot guarantee that the incoming token is a client credentials token.\n\n### Patches\nPatched in v13.7.1\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nDisallow usage of `client_credentials`. \n\n\n### References\n- https://github.com/laravel/passport/issues/1900\n- https://github.com/laravel/passport/pull/1901\n- https://github.com/laravel/passport/pull/1902\n- https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/passport"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.7.1"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/laravel/passport/security/advisories/GHSA-349c-2h2f-mxf6"
},
{
"type": "WEB",
"url": "https://github.com/laravel/passport/issues/1900"
},
{
"type": "WEB",
"url": "https://github.com/thephpleague/oauth2-server/issues/1456#issuecomment-2734989996"
},
{
"type": "WEB",
"url": "https://github.com/laravel/passport/pull/1901"
},
{
"type": "WEB",
"url": "https://github.com/laravel/passport/pull/1902"
},
{
"type": "PACKAGE",
"url": "https://github.com/laravel/passport"
}
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T19:57:55Z",
"nvd_published_at": null
}
}