• Security risk: Medium critical
  • Vulnerability: AccessToken not deleted even if user is deleted


If a user account is deleted while the user is logged in, then the accessToken does not get deleted. 

Reported by

GitHub account bluestaralone

Versions affected

loopback 2.29.1 and earlier


Version 2.30.0 of loopback fixes this issue.

Ensure that your application’s package.json has the following line:

"dependencies": {
   "loopback": "^2.30.0",

Then upgrade your project dependencies to use the latest version :

$ cd <app-root>
$ npm update