GMS-2021-57: Steam Socialite Provider v1 does not correctly validate openid server

January 29, 2021

Impact

The outdated version 1 of the Steam Socialite Provider doesn’t check properly if the login comes from steamcommunity.com, allowing a malicious actor to substitute their own openID server.

Patches

This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login.

For more information

If you have any questions or comments about this advisory:

Open an issue in SocialiteProviders/Providers
Email us at socialite@atymic.dev

References

github.com/SocialiteProviders/Steam/security/advisories/GHSA-hhw9-35p2-q2c5
github.com/advisories/GHSA-hhw9-35p2-q2c5
packagist.org/packages/socialiteproviders/steam

Code Behaviors & Features

Detect and mitigate GMS-2021-57 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →