GMS-2020-454: Improper Authorization in react-oauth-flow

September 3, 2020 (updated October 4, 2021)

All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. No fix is currently available. Consider using an alternative module until a fix is made available.

References

github.com/advisories/GHSA-65m9-m259-7jqw
github.com/ethereum/web3.js/issues/2739
www.npmjs.com/advisories/1487

Code Behaviors & Features

Detect and mitigate GMS-2020-454 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →