CVE-2024-31999 – @fastify/secure-session: Reuse of destroyed secure session cookie

https://notcve.org/view.php?id=CVE-2024-31999

@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. • https://github.com/fastify/fastify-secure-session/commit/56d66642ecc633cff0606927601e81cdac361370 https://github.com/fastify/fastify-secure-session/security/advisories/GHSA-9wwp-q7wq-jx35 • CWE-613: Insufficient Session Expiration •