[2022-11] API Token Privilege Escalation

Date/time incident detected: 11/14/2022 ‪21:05 UTC‬

Date/time incident resolved: 11/16/2022 02:14 UTC

Affected components: API Tokens

Affected customers: All customers with push-only API tokens


A potential security vulnerability was discovered whereby any API endpoints authorized for “push only” API token usage would return an authorization header containing a FOSSA session ID. That session ID had escalated authorization privileges that allowed full user access to the FOSSA platform, and could be injected into a browser to create a valid session as the user account that the push-only token was assigned to. It is notable that even with the privilege escalation, there was no opportunity for a malicious actor to access any proprietary source code while this vulnerability was active.

There is no evidence of this vulnerability having been exploited by anyone to date. However, we do not have comprehensive enough historical logs to confirm with absolute certainty that it has never occurred.


A code fix was deployed to invalidate the FOSSA session ID created during every API request before the response is sent back to the client, eliminating the potential to reuse the session ID for privilege escalation.

No action is necessary by customers and users of the FOSSA platform.