Affected versions of passport-azure-ad do not recognize the validateIssuer setting, which allows remote attackers to bypass authentication via a crafted token.

Recommendation

Version 1.x: Update to version 1.4.6 or later.
Version 2.x: Update to version 2.0.1 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-7191
• https://github.com/AzureAD/passport-azure-ad/blob/master/SECURITY-NOTICE.MD
• GHSA-73jp-3c67-hjfv
• https://support.microsoft.com/en-us/kb/3187742
• https://www.npmjs.com/advisories/151
• https://support.microsoft.com/kb/3187742
• http://www.securityfocus.com/bid/93213
• http://www.securitytracker.com/id/1036996