CVE-2021-29624
MEDIUM6.5EPSS 0.17%Lack of protection against cookie tossing attacks in fastify-csrf
Description
### Impact Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. ### Patches Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains. ### Workarounds None available. ### References 1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html 2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf ### Credits This vulnerability was found by Xhelal Likaj <[email protected]>. ### For more information If you have any questions or comments about this advisory: * Open an issue in [fastify-csrf](https://github.com/fastify/fastify-csrf) * Email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- npm/fastify-csrffrom 0, < 3.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-29624
- WEBhttps://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
- WEBhttps://github.com/fastify/csrf/pull/2
- WEBhttps://github.com/fastify/fastify-csrf/pull/51
- WEBhttps://github.com/fastify/fastify-csrf/releases/tag/v3.1.0
- WEBhttps://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8
- WEBhttps://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf