-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from two flaws in OAuth2.php's fetchAccessToken() method: 1) The authCodeVerifier state wasn't cleared after token exchange, leaving it available for potential reuse (violating PKCE's one-time use requirement). 2) No validation that authCodeVerifier existed when PKCE was enabled, allowing attackers to bypass PKCE protection via omission. The patch explicitly adds state removal (this.removeState('authCodeVerifier')) and validation (throw if empty), confirming these were the vulnerable code paths. The commit diff and CWE mappings directly implicate this function.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yiisoft/yii2-authclient | composer | < 2.2.15 | 2.2.15 |
PHPPHP