[New Advisory] connected-car npm package — Broken PKCE + VIN Injection (CWE-303, CWE-20) #7304
Description
Package Information
- Ecosystem: npm
- Package name: connected-car
- Repository: https://github.com/ianjwhite99/connected-car-node-sdk
- Affected versions: <= 1.3.0 (all versions)
- Patched versions: None (repository archived)
- Severity: High (CVSS 7.4)
- CWE: CWE-303, CWE-20
Summary
Two vulnerabilities in the connected-car npm package (unofficial Ford FordPass API SDK):
1. Broken PKCE Implementation (CWE-303)
OAuth2Client.ts line 95 appends %3D (=) to every PKCE code_challenge, violating RFC 7636 Section 4.2. BASE64URL encoding must NOT include padding. This corrupts the challenge so it never matches the verifier, breaking PKCE protection. Combined with the custom URI scheme redirect (fordapp://userauthorized), this creates an authorization code interception risk on Android.
2. Unsanitized VIN Parameters (CWE-20)
18 API endpoints construct URLs using unsanitized vehicleVIN and messageId parameters. No input validation or URL encoding exists anywhere in the codebase. Enables path traversal and query parameter injection.
Proof of Concept
// PKCE bug verification
const crypto = require('crypto');
const verifier = crypto.randomBytes(32).toString('base64url');
const correct = crypto.createHash('sha256').update(verifier).digest('base64url');
const fordSDK = correct + '='; // What the SDK sends
console.log(correct === fordSDK); // false — PKCE broken on every request