> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2022-24794: Security Update for Express OpenID Connect Library

# CVE-2022-24794: Security Update for Express OpenID Connect Library

**Published**: March 30, 2022

**CVE number**: CVE-2022-24794

### Overview

Users of the `requiresAuth` middleware, either directly or through the default `authRequired` option, are vulnerable to an Open Redirect when the middleware is applied to a catch all route.

If all routes under `example.com` are protected with the `requiresAuth` middleware, a visit to `http://example.com//google.com` will be redirected to `google.com` after login because the original url reported by the Express framework is not properly sanitised.

### Am I affected?

You are affected by this vulnerability if you are using the `requiresAuth` middleware on a catch all route or the default `authRequired` option and `express-openid-connect` version `<=2.7.1`.

### How to fix that?

Upgrade to version `>=2.7.2`

### Will this update impact my users?

The fix provided in the patch will not affect your users.