The node-oauth2-server module improperly restricts excessive authentication attempts in its implementation of the PKCE S256 flow. Specifically, it accepts RFC7636-invalid code_verifier values, including very short strings, and does not consume the authorization code on failed verification attempts. This allows an attacker who has intercepted an authorization code to perform an online brute-force attack against the code_verifier until a valid token is issued. The vulnerability is tracked as CVE-2026-41213 and affects versions before 5.3.0. The CVSS 3.1 base score is 5.9, reflecting a medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact.

An attacker who intercepts an OAuth2 authorization code can repeatedly attempt to guess the code_verifier value due to the lack of proper restrictions on authentication attempts and acceptance of invalid code_verifiers. This can lead to unauthorized issuance of access tokens, compromising the confidentiality of protected resources. The vulnerability does not impact integrity or availability directly. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider implementing additional rate limiting or monitoring on the token exchange endpoint to detect and block brute-force attempts. Avoid using affected versions of node-oauth2-server in sensitive environments if possible.