CVE-2023-28131 in Expo
Summary
by MITRE • 04/24/2023
A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/01/2025
The vulnerability identified as CVE-2023-28131 represents a critical authentication flaw within the expo.io framework that specifically affects applications utilizing the Expo AuthSession Redirect Proxy for social sign-in functionality. This issue stems from improper handling of redirect URIs and authentication state management within the framework's implementation of social login mechanisms. The vulnerability exists at the intersection of web application security and identity management protocols, creating a pathway for attackers to exploit the trust relationship between users and social authentication providers.
The technical flaw manifests when applications configure the Expo AuthSession Redirect Proxy to handle social sign-in flows, which typically involve redirecting users to social media platforms like Google, Facebook, or Apple for authentication before redirecting back to the application. The vulnerability occurs due to insufficient validation of redirect URIs and lack of proper state parameter handling, allowing attackers to craft malicious links that manipulate the authentication flow. When victims click these malicious links, the framework fails to properly verify that the redirect originates from legitimate sources, enabling attackers to intercept authentication tokens and potentially gain unauthorized access to user accounts.
The operational impact of this vulnerability extends beyond simple credential theft, as it can lead to full account compromise and unauthorized access to sensitive user data. Attackers can leverage this vulnerability to perform account takeover attacks, access personal information stored in social media accounts, and potentially escalate privileges within the application ecosystem. The attack vector is particularly concerning because it requires only a single click from the victim, making it highly effective for phishing campaigns and social engineering attacks. The vulnerability affects any application using the expo.io framework with social sign-in configured, creating a widespread risk across numerous applications and services that rely on this popular mobile development platform.
This vulnerability aligns with CWE-384, which addresses the issue of session fixation and improper session management in web applications, and can be mapped to ATT&CK technique T1566 for credential harvesting through phishing methods. The attack surface is significantly broadened by the popularity of the expo.io framework in mobile application development, affecting not just individual applications but entire ecosystems built on this platform. Organizations using this framework must urgently assess their social sign-in implementations and implement proper URI validation and state parameter management to prevent exploitation. The recommended mitigations include implementing strict redirect URI validation, ensuring proper state parameter handling, and utilizing secure authentication flows that prevent unauthorized redirect manipulation. Additionally, developers should consider implementing additional security measures such as nonce verification and proper error handling to prevent attackers from exploiting the authentication flow and should regularly audit their authentication mechanisms to identify potential vulnerabilities before they can be exploited by malicious actors.