Description
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43
Patch, Third Party Advisory x_refsource_misc
https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
Third Party Advisory x_refsource_misc
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Scores
CVSS v3
8.1
EPSS
0.0012
EPSS Percentile
30.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Details
CWE
CWE-345
CWE-287
Status
published
Products (2)
ory/fosite
< 0.31.0
ory/fosite
0 - 0.31.0Go
Published
Sep 24, 2020
Tracked Since
Feb 18, 2026