{"id":"CVE-2022-31013","summary":"Authentication bypass in Vartalap chat-server","details":"Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function `this.authProvider.verifyAccessKey` is an async function, as the code is not using `await` to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.","aliases":["GHSA-xx4j-qqpp-v277"],"modified":"2026-07-08T06:01:44.628770623Z","published":"2022-05-31T22:35:11Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31013.json","cwe_ids":["CWE-287"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/ramank775/chat-server/discussions/78"},{"type":"WEB","url":"https://github.com/ramank775/chat-server/releases/tag/v2.6.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31013.json"},{"type":"ADVISORY","url":"https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31013"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ramank775/chat-server","events":[{"introduced":"efe592001fc8032f45fbf8a08c2d444b3a7890af"},{"fixed":"b4cd6a5d0fe68f7b9cf655d487ec11d3830143d5"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:chat_server_project:chat_server:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.3.2"},{"fixed":"2.6.0"}]}}],"versions":["v2.5.0","v2.3.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31013.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}