perfood/couch-auth

perfood/couch-auth

Releases58

Frequency2 months 1 week

Last Release about 2 months ago

Stars78

Powerful authentication for APIs and apps using CouchDB (or Cloudant) with Node >= 14

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-70948 ↗	Mar 5, 2026Thursday, 5 March 2026, 21:16	9.3 CRITICAL	—
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
CVE-2025-70949 ↗	Mar 5, 2026Thursday, 5 March 2026, 21:16	7.5 HIGH	—
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
CVE-2025-60794 ↗	Nov 20, 2025Thursday, 20 November 2025, 15:17	6.5 MEDIUM	—
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.