Headline

CVE-2022-39287: Openly visible CSRF tokens in versions prior to v1.1.0

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit 8eead6d and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

2 years ago

CVE

Open in Source

#csrf #nodejs #js #git

Package

npm tiny-csrf (npm)

Affected versions

<1.1.0

Patched versions

1.1.0

Description

Impact

Weak encryption on CSRF so tokens can be read by malicious attackers.

Patches

Problems have been patched as of v1.1.0

Workarounds

Upgrade to v1.1.0

References

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

For more information

Submit an issue at the github repo

### Impact Weak encryption on CSRF so tokens can be read by malicious attackers. ### Patches Problems have been patched as of v1.1.0 ### Workarounds Upgrade to v1.1.0 ### References https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html ### For more information Submit an issue at [the github repo](https://github.com/valexandersaulys/tiny-csrf)

2 years ago

ghsa

Open in Source

#csrf #nodejs #git