Impact
Plack::Middleware::OAuth versions up through 0.10 omit support for the OAuth 2.0 state parameter, and the RequestTokenV2 routine builds the provider authorization redirect without issuing a state value. The AccessTokenV2 routine accepts the callback code and registers the resulting token into the session (register_session) without verifying that the callback originates from an authorization request that this session initiated. This flaw allows an attacker to perform login cross‑site request forgery. If an uses this middleware for OAuth 2.0 authentication, the attacker can start an authorization flow with a malicious provider account and deliver the callback to a victim’s browser, causing the victim’s session to complete the attacker’s authorization and associate the victim’s session with the attacker’s provider identity and access token. When the application persists that link, the attacker may retain long‑term access to the victim’s account using their own provider credentials.
Affected Systems
The vulnerability affects the Perl module Plack::Middleware::OAuth, specifically version 0.10 and all earlier releases. Any Perl application that incorporates this module for OAuth 2.0 authentication is susceptible if it uses those versions.
Risk and Exploitability
No CVSS score is available and the EPSS score is not reported, but the flaw permits any authenticated OAuth flow without state validation, resulting in a high impact. The flaw is not listed in the CISA KEV catalog and there is no known public exploitation. The likely attack vector is an attacker initiating an OAuth authorization with a malicious provider account and then delivering the callback to a victim’s browser, thereby hijacking the victim’s session. While the vulnerability does not allow remote code execution, it enables an attacker to gain persistent access to a user’s linked account through the victim’s session.
OpenCVE Enrichment