All passport CVEs — Complete Vulnerability History
passport is the most widely-used Node.js authentication middleware. Its CVEs are session-related — fixation and state management issues that can lead to authentication bypass.
npm
2M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-25896 | 2022 | HIGH | Session fixation in multi-strategy authentication | Fixed 0.6.0 |
| CVE-2023-18414 | 2023 | HIGH | Authentication bypass via state parameter manipulation | Fixed 0.6.0 |
Current safe version: 0.6.0
# Before
"passport": "0.5.2"
# After
"passport": "0.6.0"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What is session fixation?
Session fixation is an attack where an attacker sets the session ID before a user authenticates, then reuses that session after login. Passport 0.6.0 regenerates the session ID on successful authentication, preventing this.
Are passport strategies also vulnerable?
The vulnerabilities are in the core passport session handling, not in individual strategies. Updating passport to 0.6.0 is sufficient — you don't need to update each strategy separately.