Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJjNHEtOW02OS1ncXA4

Lack of protection against cookie tossing attacks in fastify-csrf

Impact

Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service.

Patches

Version 3.1.0 of the fastify-csrf fixes it.
See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.

The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

Workarounds

None available.

References

  1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf

Credits

This vulnerability was found by Xhelal Likaj [email protected].

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-rc4q-9m69-gqp8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJjNHEtOW02OS1ncXA4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Identifiers: GHSA-rc4q-9m69-gqp8, CVE-2021-29624
References: Repository: https://github.com/fastify/fastify-csrf
Blast Radius: 11.9

Affected Packages

npm:fastify-csrf
Dependent packages: 15
Dependent repositories: 68
Downloads: 4,820 last month
Affected Version Ranges: < 3.1.0
Fixed in: 3.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 2.0.0, 3.0.0, 3.0.1
All unaffected versions: 3.1.0