In the node-oauth2-server library, a flaw in the token exchange process for S256 PKCE flows allows the server to accept code_verifier values that do not meet RFC7636 requirements, including one‑character strings. If an attacker captures an OAuth2 authorization code, they can repeatedly guess these weak or short code_verifier values online. Because the server does not invalidate the code after a failed attempt, the attacker can iterate many times until a correct verifier is supplied, resulting in the issuance of an access token that can be used to access protected resources. This weakness is a consequence of improper input validation (CWE‑1289, CWE‑307).

The vulnerability affects the node-oauth:node-oauth2-server package, a Node.js library used to implement OAuth2 servers. All releases of the library are potentially susceptible until the issue is fixed, as no specific version range was provided by the CNA.

The CVSS score of 5.9 indicates a moderate severity, while the EPSS score of less than 1% suggests that known exploitation is low at present. The vulnerability is not yet listed as a known exploited vulnerability by CISA. The likely attack vector is online, requiring the interception of an authorization code over an insecure transport or a compromised network. Once the code is captured, the attacker can brute‑force the code_verifier through repeated API calls until the token endpoint issues a valid access token. This yields full access to the victim’s scopes and can lead to unauthorized data disclosure or manipulation.