GHSA-3qmc-2r76-4rqp: 
JavaScript vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-3qmc-2r76-4rqp) was discovered in Redwood's dbAuth functionality, specifically affecting the forgot password feature. The vulnerability was introduced in version 0.38.0 and affects versions >= 0.38.0, < 2.2.5 and >= 3.0.0, < 3.3.1. The issue was disclosed on November 9, 2022, and has been patched in versions 2.2.5 and 3.3.1 (GitHub Advisory).

The vulnerability exists in the dbAuth forgot password API where the reset token and reset token expiration date were being leaked in the API response. The issue has a CVSS v3.1 score of 8.2 (High), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: None, Availability: Low (GitHub Advisory).

The vulnerability enables account takeover (hijacking) by allowing malicious actors to obtain reset tokens for any user through the forgot-password API, given knowledge of their username or email. With the leaked reset token, attackers could reset users' passwords and gain unauthorized access to their accounts (GitHub Advisory).

The primary mitigation is to upgrade to patched versions (v3.3.1+ or v2.2.5+). Alternative workarounds include: manually stripping out resetToken and resetTokenExpiresAt in the forgotPassword.handler(), using yarn patch to manually apply the fix for v3 and v2 users with yarn v3, or disabling the forgot password flow entirely for v3 users (GitHub Advisory, GitHub Release).