Skip to content

fix(oauth): Validate state session ID in Oauth2 callback #5366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
thw-nango wants to merge 7 commits into
base: master
Choose a base branch
from
Open

fix(oauth): Validate state session ID in Oauth2 callback #5366

thw-nango wants to merge 7 commits into from
+29 −8

Conversation

@thw-nango
Copy link
Contributor

@thw-nango thw-nango commented Feb 3, 2026
edited by propel-code-bot bot
Loading

CVE-2023-36019 is out of the bag. We are affected by a similar vulnerability.

To mitigate, we validate state against an OOB cookie carried by the OAuth2 flow initiator.

Consider this change high-risk, as some OAuth2 providers are known to not implement the specification correctly. That could lead to broken providers in Nango.

You can ignore the first commit in this PR, as it turned out to be tautological.

The controller now mints a secure, HTTP-only oauth2-${session.id} cookie whenever it issues an authorization URL, the callback handler refuses token exchanges until that cookie is presented and then clears it, and cookie parsing is confined to the /oauth/callback route so the rest of the public router remains unaffected.

This summary was automatically generated by @propel-code-bot

@linear
Copy link

linear bot commented Feb 3, 2026

NAN-2156 [Vulnerability Report] Two Severe OAuth Vulnerabilities in nango

@thw-nango thw-nango changed the title validate state session ID in Oauth2 callback fix(oauth): Validate state session ID in Oauth2 callback Feb 3, 2026
@thw-nango thw-nango marked this pull request as ready for review February 3, 2026 11:06
propel-code-bot[bot]
propel-code-bot bot reviewed Feb 3, 2026
View reviewed changes
@thw-nango thw-nango force-pushed the thw/NAN-2156/validate-session-state branch from 2203853 to acbe22a Compare February 3, 2026 12:50
@thw-nango thw-nango force-pushed the thw/NAN-2156/validate-session-state branch from acbe22a to 7556959 Compare February 3, 2026 14:45
TBonnin
TBonnin reviewed Feb 3, 2026
View reviewed changes
Copy link
Collaborator

@TBonnin TBonnin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tested this change? I don't think the public API currently support cookies.

Also what about the other oauth2 flows (mcp, oauth2cc, outbound, ...)? Are they also vulnerable?

@TBonnin TBonnin force-pushed the thw/NAN-2156/validate-session-state branch from afe5a0c to 46f08f3 Compare February 4, 2026 17:59
@NangoHQ NangoHQ deleted a comment from propel-code-bot bot Feb 4, 2026
@NangoHQ NangoHQ deleted a comment from propel-code-bot bot Feb 4, 2026
@NangoHQ NangoHQ deleted a comment from propel-code-bot bot Feb 4, 2026
@NangoHQ NangoHQ deleted a comment from propel-code-bot bot Feb 4, 2026
@NangoHQ NangoHQ deleted a comment from propel-code-bot bot Feb 4, 2026
@NangoHQ NangoHQ deleted a comment from propel-code-bot bot Feb 4, 2026
TBonnin
TBonnin reviewed Feb 4, 2026
View reviewed changes
@hassan254-prog
Copy link
Contributor

hassan254-prog commented Feb 11, 2026

Have you tested this change? I don't think the public API currently support cookies.

Also what about the other oauth2 flows (mcp, oauth2cc, outbound, ...)? Are they also vulnerable?

I have tested this with several OAUTH2 providers. This change applies only to OAUTH2; other auth modes such as CUSTOM, APP, OAUTH1, and OUTBOUND, are also affected and will require a separate pr (decided to split this) as they also rely on provider callbacks.

@TBonnin
Copy link
Collaborator

TBonnin commented Feb 11, 2026
edited
Loading

Have you tested this change? I don't think the public API currently support cookies.
Also what about the other oauth2 flows (mcp, oauth2cc, outbound, ...)? Are they also vulnerable?

I have tested this with several OAUTH2 providers. This change applies only to OAUTH2; other auth modes such as CUSTOM, APP, OAUTH1, and OUTBOUND, are also affected and will require a separate pr (decided to split this) as they also rely on provider callbacks.

Thank you for checking. Makes sense to split the PRs. It would be good to address the other auth modes relatively quickly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@propel-code-bot propel-code-bot[bot] propel-code-bot[bot] left review comments

@TBonnin TBonnin TBonnin approved these changes

@bastienbeurier bastienbeurier Awaiting requested review from bastienbeurier

@hassan254-prog hassan254-prog Awaiting requested review from hassan254-prog

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thw-nango @hassan254-prog @TBonnin