8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7787

GHSA ID

GHSA-7mpx-vg3c-cmr4

EPSS Score

0.49996%

CWE

CWE-287

Published

4/13/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7787

CVE-2020-7787: Improper Authentication in react-adal

This affects versions of react-adal < 0.5.1. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and session keys are generated, the list of values is stored in the browser storage, separated by ||, with || always appended to the end of the list. Since || will always be the last 2 characters of the stored values, an empty string ("") will always be in the list of the valid values. Therefore, if an empty session parameter is provided in the callback URL, and a specially-crafted JWT token contains an nonce value of "" (empty string), then adal.js will consider the JWT token as authentic.

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7787

GHSA ID

GHSA-7mpx-vg3c-cmr4

EPSS Score

0.49996%

CWE

CWE-287

Published

4/13/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-adal	npm	< 0.5.1	0.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how nonce and state values were stored with trailing || delimiters, creating empty string entries. The original validation functions (_matchNonce and _matchState) iterated through split values without checking for empty elements. This allowed attackers to submit empty nonce/session parameters that would match the stored empty strings. The commit diff shows these functions were modified to add truthiness checks (requestNonce[i] && ...), confirming these were the vulnerable validation points. The CVE description directly implicates the nonce and state validation logic as the flawed authentication mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts v*rsions o* r***t-***l < *.*.*. It is possi*l* *or * sp**i*lly *r**t** JWT tok*n *n* r*qu*st URL **n **us* t** non**, s*ssion *n* r**r*s* v*lu*s to ** in*orr**tly v*li**t**, **usin* t** *ppli**tion to tr**t *n *tt**k*r-**n*r*t** JWT tok*

Reasoning

T** vuln*r**ility st*ms *rom *ow non** *n* st*t* v*lu*s w*r* stor** wit* tr*ilin* || **limit*rs, *r**tin* *mpty strin* *ntri*s. T** ori*in*l v*li**tion *un*tions (_m*t**Non** *n* _m*t**St*t*) it*r*t** t*rou** split v*lu*s wit*out ****kin* *or *mpty *

8.2

Basic Information

Concerned about an active attack path?

CVE-2020-7787: Improper Authentication in react-adal

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI