> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2021-41246: Security Update for Express OpenID Connect Library

# CVE-2021-41246: Security Update for Express OpenID Connect Library

**Published**: December 08, 2021

**CVE number**: `CVE-2021-41246`

### Overview

Versions `2.3.0` up to and including `2.5.1` do not regenerate the session id and <Tooltip tip="Session Cookie: Entity that, when present, allows the user to be considered authenticated." cta="View Glossary" href="/docs/glossary?term=session+cookie">session cookie</Tooltip> when user logs in. This behavior opens up the application to various session fixation vulnerabilities.

### Am I affected?

You are affected by this vulnerability if you are using `express-openid-connect` version `2.3.0` up to and including `2.5.1` and use a custom session store.

### How to fix that?

Upgrade to version `>= 2.5.2`

### Will this update impact my users?

The fix provided in patch will not affect your users.