CVE-2020-15222

Replay of private_key_jwt possible in ORY Fosite

CVSS 8.1 HIGHEPSS 0.9%CWE-287

In short

ORY Fosite fails to check if a JWT token ID (jti) has already been used during private key authentication, allowing attackers to replay the same token multiple times instead of using it just once. This breaks a key security requirement that prevents reusing authentication tokens.

Technical detail

The vulnerability exists in the private_key_jwt client authentication flow where the jti (JWT ID) claim uniqueness is not validated. An attacker can replay a previously used JWT assertion multiple times, bypassing the mandatory single-use requirement specified in OpenID Connect. Affected versions prior to 0.31.0 fail to maintain a jti registry or check against it during token validation.

Summary generated and translated by AI from the official description.

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products

ory · fosite

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9 https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43 https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication