Listen to this Post
The vulnerability in Pocket ID (CVE-2024-XXXX) arises from a logical error in the OIDC token endpoint’s authorization code validation. In `backend/internal/service/oidc_service.go` at line 407, the code uses an AND operator (&&) to check two conditions: whether the client ID in the request does not match the stored metadata, and whether the authorization code has expired. This means the endpoint rejects the request only if both conditions are true simultaneously. However, the intended behavior is to reject if either condition is true, which would require an OR operator (||). As a result, if an attacker presents a valid (non-expired) authorization code with a wrong client ID, the request is accepted, allowing cross-client code exchange. Conversely, if the code is expired but the client ID is correct, the request is also accepted, enabling expired code reuse. An attacker operating an OIDC client can exploit this to exchange codes issued for other clients, obtaining tokens for users who never authorized their client. The PoC demonstrates this by using a test environment: a code issued for Nextcloud is exchanged using Immich’s credentials, yielding a valid token with the audience set to Immich. This flaw bypasses client authorization and expiration checks, compromising OIDC flow integrity and leading to unauthorized access until the 24-hour cleanup job runs.
Platform: Pocket ID
Version: Before patch
Vulnerability: OIDC logic flaw
Severity: Critical
date: 2024-11-15
Prediction: Patch 2024-11-30
What Undercode Say:
Analytics:
Seed test data with Pocket ID in test mode curl -X POST "http://localhost:1411/api/test/reset?skip-ldap=true" Exploit: Exchange Nextcloud's auth code using Immich's client credentials curl -X POST http://localhost:1411/api/oidc/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=authorization_code" \ -d "code=auth-code" \ -d "client_id=606c7782-f2b1-49e5-8ea9-26eb1b06d018" \ -d "client_secret=PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x" \ -d "redirect_uri=http://immich/auth/callback" Expected 400 but returns 200 with tokens
How Exploit:
- Set up Pocket ID in test mode with `APP_ENV=test` and
BUILD_TAGS=e2etest. - Ensure a user has authorized two OIDC clients (e.g., Nextcloud and Immich).
- Obtain an authorization code issued for one client (e.g., Nextcloud).
- Send a token request with the code, using the other client’s credentials (wrong client ID).
- The endpoint accepts due to AND logic, returning tokens for the unauthorized client.
Protection from this CVE:
Upgrade to patched version where condition uses OR operator. If unavailable, apply hotfix by modifying `oidc_service.go` line 407 from `&&` to `||` and rebuild. Monitor logs for anomalous token exchanges.
Impact:
Any OIDC client operator can exchange codes for other clients, obtaining tokens for users who never authorized that client. Expired codes can be reused until cleanup, enabling unauthorized access and privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

