CVE-2023-31999: 
JavaScript vulnerability analysis and mitigation

CVE-2023-31999 affects @fastify/oauth2, a wrapper around the simple-oauth2 library, in versions prior to 7.2.0. The vulnerability stems from the application using a statically generated state parameter at startup time that was reused across all requests for all users. The issue was discovered and disclosed in July 2023, affecting all versions of @fastify/oauth2 before version 7.2.0 (NVD, GitHub Release).

The vulnerability is related to the OAuth2 state parameter implementation, which is designed to prevent Cross-Site Request Forgery (CSRF) attacks. The state parameter should be unique per user and connected to the user's session to allow server validation. However, in affected versions, the application used a single static state parameter generated at startup for all users and requests. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The improper implementation of the state parameter compromises the CSRF protection mechanism in OAuth2 authentication. This could allow attackers to perform CSRF attacks against authenticated users, potentially leading to unauthorized actions being performed on behalf of the victim user (Auth0 Docs).

The vulnerability was fixed in version 7.2.0 of @fastify/oauth2. The update changes the default behavior to store the state parameter in a cookie with http-only and same-site=lax attributes set, and generates a unique state for every user. Users should upgrade to version 7.2.0 or later. Note that the fix includes a breaking change in the checkStateFunction function, which now accepts the full Request object (GitHub Release).