All three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity.
The OAuthBrokerService.GetService() returns a single shared instance per provider for every request. The OAuth flow stores intermediate state as struct fields on this singleton:
Token storage — generic_oauth_service.go line 96:
generic.token = token // Shared mutable field on singleton
Verifier storage — generic_oauth_service.go line 81:
generic.verifier = verifier // Shared mutable field on singleton
In the callback handler oauth_controller.go lines 136–143, the code calls:
err = service.VerifyCode(code) // line 136 — stores token on singleton
// ... race window ...
user, err := controller.broker.GetUser(req.Provider) // line 143 — reads token from singleton
Between these two calls, a concurrent request's VerifyCode() can overwrite the token field, causing GetUser() → Userinfo() to fetch the wrong user's identity claims.
The same pattern exists in all three implementations: -...
1.0.1-0.20260401140714-fc1d4f2082a5Exploitability
AV:NAC:HPR:LUI:RScope
S:CImpact
C:HI:HA:N7.7/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N