CVE-2023-31999

Name: CVE-2023-31999
Creator: NVD / NIST
Published: 2023-07-04T17:15:10.657+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 0.58%

Last modified Jun 17, 2026

CVE-2023-31999 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. EPSS estimates a 0.58% chance of exploitation in the next 30 days.

Description

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.58%

43.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-352

Affected Software

Vendor	Product	Versions
Fastify	Oauth2	< 7.2.0

References

https://auth0.com/docs/secure/attack-protection/state-parametersExploit
https://github.com/fastify/fastify-oauth2/releases/tag/v7.2.0Release Notes
https://hackerone.com/reports/2020418Permissions Required
https://auth0.com/docs/secure/attack-protection/state-parametersExploit
https://github.com/fastify/fastify-oauth2/releases/tag/v7.2.0Release Notes
https://hackerone.com/reports/2020418Permissions Required

Timeline

Published: Jul 4, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-31999?

How severe is CVE-2023-31999?

CVE-2023-31999 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.58% probability of exploitation in the next 30 days.

How do I fix CVE-2023-31999?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-31999?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST