All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

• https://www.npmjs.com/advisories/1443
• https://nvd.nist.gov/vuln/detail/CVE-2019-19723