Vulnerability Description
A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Expo | Expo Software Development Kit | >= 45.0.0, < 48.0.0 |
Related Weaknesses (CWE)
References
- https://blog.expo.dev/security-advisory-for-developers-using-authsessions-useproMitigationThird Party Advisory
- https://www.darkreading.com/endpoint/oauth-flaw-in-expo-platform-affects-hundred
- https://blog.expo.dev/security-advisory-for-developers-using-authsessions-useproMitigationThird Party Advisory
- https://www.darkreading.com/endpoint/oauth-flaw-in-expo-platform-affects-hundred
FAQ
What is CVE-2023-28131?
CVE-2023-28131 is a vulnerability with a CVSS score of 9.6 (CRITICAL). A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-...
How severe is CVE-2023-28131?
CVE-2023-28131 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-28131?
Check the references section above for vendor advisories and patch information. Affected products include: Expo Expo Software Development Kit.