Lack of protection against cookie tossing attacks in fastify-csrf
CVE-2021-29624

6.5MEDIUM

Key Information:

Vendor

Fastify

Status
Fastify-csrf
Vendor
CVE Published:
19 May 2021

What is CVE-2021-29624?

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

Affected Version(s)

fastify-csrf < 3.1.0

References

https://github.com/fastify/fastify-csrf/security/advisori...
x_refsource_CONFIRM
https://github.com/fastify/csrf/pull/2
x_refsource_MISC
https://github.com/fastify/fastify-csrf/pull/51
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.