Severity: Critical
CVSS Score: 10
### Impact The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from `steamcommunity.com`, allowing a malicious actor to substitute their own openID server. ### Patches This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login. ### For more information If you have any questions or comments about this advisory: * Open an issue in [SocialiteProviders/Providers](https://github.com/SocialiteProviders/Providers) * Email us at [socialite@atymic.dev](mailto:socialite@atymic.dev)