Security Advisory: AG2015-01

AG2015-01: Potential Authenticated User Spoofing in zf-oauth2

We discovered a potential issue in the Web-Server Application scenario (also termed "Authorization Code") of zf-oauth2. An attacker can pass a user_id value in the query string when using the scenario, and associate the authorization code and the token to a different user. Passing the user_id in the query string is a bad practice; the user identity should be managed server side using a value from original authorization (e.g. from the original login page).

The vulnerability exists in all stable versions of zf-oauth2 from 1.1.0 forward. Only applications using the authorization_code scenario are affected.

Action Taken

We removed the ability to specify the user_id in the query string when utilizing the /authorize resource, and we now use Zend\Authorization\AuthorizationService as the default mechanism for managing the identity of the user under this OAuth2 scenario.

The patch fixing the issues has been applied in the following versions:

  • zf-oauth2 1.2.1
  • zf-oauth2 1.3.1

Additionally, we have released corresponding versions of the Apigility skeleton, used by our installer, to ensure they use these versions of zf-oauth2 by default.


If you are using zf-oauth2 with the web application/authorization code scenario, we recommend upgrading zf-oauth2 to either 1.2.1 or 1.3.1. This can usually be done using composer update zfcampus/zf-oauth2.


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Mat Wright, who notified us of the issue and reviewed our patch; and
  • Enrico Zimuel, who wrote the patch for the issue.

Released 2015-07-23

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2021 by Zend by Perforce. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.