CVE-2024-11023
Session Fixation vulnerability in firebase (npm)
What is CVE-2024-11023 About?
This Session Fixation vulnerability in the Firebase JavaScript SDK allows an attacker to capture user session data. By pre-setting the `FIREBASE_DEFAULTS` cookie with a manipulated `_authTokenSyncURL` field, an attacker can redirect session synchronization to their own server. This allows for sensitive data interception and provides a relatively easy an attacker to exploit given they can preset the cookie.
Affected Software
Technical Details
The vulnerability exploits the Firebase JavaScript SDK's reliance on the FIREBASE_DEFAULTS cookie for storing configuration data, specifically the _authTokenSyncURL field responsible for session synchronization. If an attacker can preset this cookie (e.g., via a cross-site scripting (XSS) vulnerability, cookie injection, or a misconfigured third-party script), they can manipulate the _authTokenSyncURL to point to a server under their control. When the legitimate Firebase SDK initializes and attempts to synchronize user session data, it will unwittingly send this sensitive information (e.g., authentication tokens) to the attacker-controlled server instead of the legitimate Firebase endpoint, allowing the attacker to capture and potentially replay or misuse the user's session data. This mechanism effectively hijacks the session synchronization process.
What is the Impact of CVE-2024-11023?
Successful exploitation may allow attackers to capture user session data, including authentication tokens, leading to session hijacking, unauthorized access to user accounts, and potential data exfiltration.
What is the Exploitability of CVE-2024-11023?
Exploitation of this vulnerability has moderate complexity and relies on the attacker's ability to preset the FIREBASE_DEFAULTS cookie in the victim's browser. This often requires an initial vulnerability, such as Cross-Site Scripting (XSS), or a third-party script that can write cookies to the domain. No direct authentication to Firebase is required for this specific exploit after the cookie is set. This is a client-side, remote exploitation scenario where the attacker's goal is to manipulate the client's browser state. There are no specific privilege requirements from the attacker perspective beyond being able to manipulate client-side cookies for the target domain. Special conditions include the SDK referencing the _authTokenSyncURL from the cookie and the attacker being able to plant the malicious cookie. Risk factors that increase exploitation likelihood include inadequate XSS protections on the application, insecure third-party integrations, or other client-side vulnerabilities that allow cookie manipulation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-11023?
Available Upgrade Options
- firebase
- <10.9.0 → Upgrade to 10.9.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://firebase.google.com/support/release-notes/js#version_1090_-_march_14_2024
- https://github.com/firebase/firebase-js-sdk
- https://firebase.google.com/support/release-notes/js#version_1090_-_march_14_2024
- https://osv.dev/vulnerability/GHSA-3wf4-68gx-mph8
- https://nvd.nist.gov/vuln/detail/CVE-2024-11023
- https://github.com/firebase/firebase-js-sdk/pull/8056
- https://github.com/firebase/firebase-js-sdk/pull/8056
- https://github.com/firebase/firebase-js-sdk/commit/245dd26e19b6c16aca7e1b7e597ed5784c2984ba
What are Similar Vulnerabilities to CVE-2024-11023?
Similar Vulnerabilities: CVE-2023-38822 , CVE-2022-38686 , CVE-2021-39141 , CVE-2020-25213 , CVE-2019-15891
