-
CVSS Score
-The vulnerability stems from missing session ID regeneration in authentication flows. The commit diff shows both logIn and logOut functions were modified to add session.regenerate() calls when using @fastify/session. In vulnerable versions, these regeneration calls were absent, allowing session IDs to persist across authentication state changes. The OWASP session fixation documentation confirms that session ID regeneration during privilege changes is a critical mitigation, and the CVE description explicitly links the lack of regeneration to the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @fastify/passport | npm | < 1.1.0 | 1.1.0 |
| @fastify/passport | npm | >= 2.0.0, < 2.3.0 | 2.3.0 |