All passport CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

passport is the most widely-used Node.js authentication middleware. Its CVEs are session-related — fixation and state management issues that can lead to authentication bypass.

npm 2M+ weekly downloads 2 CVEs total

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2022-25896	2022	HIGH	Session fixation in multi-strategy authentication	Fixed 0.6.0
CVE-2023-18414	2023	HIGH	Authentication bypass via state parameter manipulation	Fixed 0.6.0

Current safe version: 0.6.0

# Before

"passport": "0.5.2"

# After

"passport": "0.6.0"

Then run: npm install

passport CVEs and safe versions

passport is the most widely used Node.js authentication middleware. Its CVEs are typically in the core passport package or specific strategy packages (passport-local, passport-jwt etc.).

Known passport CVEs

CVE	Severity	Description	Safe Version
CVE-2022-25896	HIGH	Session fixation — wrong user session returned	0.6.0+
CVE-2022-25895	MED	Authentication bypass via prototype pollution	0.6.0+

Fix passport

# Update passport core
npm install passport@latest

# Safe version — 0.7.0 or later
npm install passport@0.7.0

# Check strategy packages too
npm list passport passport-local passport-jwt

CVE-2022-25896 — session fixation

This is the most critical passport CVE. In passport below 0.6.0, if the user object is modified after login, the wrong user's session data can be returned on subsequent requests. This can lead to authentication bypass. Fix by updating to passport 0.6.0+ and explicitly calling req.session.regenerate() after login.

// After successful authentication, regenerate session
app.post('/login', passport.authenticate('local'), (req, res) => {
  req.session.regenerate((err) => {
    if (err) return next(err);
    req.session.user = req.user;
    res.redirect('/dashboard');
  });
});

Paste your manifest — see your exact versions against the full CVE history.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

What is session fixation?

Session fixation is an attack where an attacker sets the session ID before a user authenticates, then reuses that session after login. Passport 0.6.0 regenerates the session ID on successful authentication, preventing this.

Are passport strategies also vulnerable?

The vulnerabilities are in the core passport session handling, not in individual strategies. Updating passport to 0.6.0 is sufficient — you don't need to update each strategy separately.