• Security risk: Medium
  • Vulnerability: Multi-user password reset exploit


When multiple User models were deployed it was possible for a resetToken for UserA to be used to reset the password for UserB or vice-versa.

See issue for more details.

Reported by

GitHub user sebastianfelipe via Issue #3577.

Versions affected

loopback (versions 3.3.0 or higher up till version 3.16.0)


Upgrade to loopback 3.16.0 or later if your repository is using an outdated loopback package.

Ensure that your application’s package.json has the following line:

"dependencies": {
   "loopback": "^3.16.0",

Then upgrade your project dependencies to use the latest version :

$ cd <app-root>
$ npm update
Tags: security