Headline
CVE-2023-27495: fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fa
@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. Whenever userInfo parameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a _csrf cookie in the victim’s browser, and 2. forge CSRF tokens that are valid for the victim’s session. This allows attackers to bypass the CSRF protection mechanism. As a fix, @fastify/csrf-protection starting from version 6.3.0 (and v4.1.0) includes a server-defined secret hmacKey that cryptographically binds the CSRF token to the value of the _csrf cookie and the userInfo parameter, making tokens non-spoofable by attackers. This protection is effective as long as the userInfo parameter is unique for each user. This is patched in versions 6.3.0 and v4.1.0. Users are advised to upgrade. Users unable to upgrade may use a random, non-predictable userInfo parameter for each user as a mitigation.
Vulnerability Details : CVE-2021-29624
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a “double submit” mechanism using cookies with an application deployed across multiple subdomains, e.g. “heroku”-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.
Publish Date : 2021-05-19 Last Update Date : 2022-10-25
- CVSS Scores & Vulnerability Types
CVSS Score
4.3
Confidentiality Impact
None (There is no impact to the confidentiality of the system.)
Integrity Impact
Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact
None (There is no impact to the availability of the system.)
Access Complexity
Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication
Not required (Authentication is not required to exploit the vulnerability.)
Gained Access
None
Vulnerability Type(s)
CSRF
CWE ID
352
- Products Affected By CVE-2021-29624
Product Type
Vendor
Product
Version
Update
Edition
Language
1
Application
Fastify
Fastify-csrf
*
*
*
*
Version Details Vulnerabilities
- Number Of Affected Versions By Product
Vendor
Product
Vulnerable Versions
Fastify
Fastify-csrf
1
- References For CVE-2021-29624
Related news
## Description The [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library in combination with `@fastify/cookie` can be bypassed from network and same-site attackers under certain conditions. `@fastify/csrf-protection` supports an optional `userInfo` parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for [CVE-2021-29624](https://www.cvedetails.com/cve/CVE-2021-29624). Whenever `userInfo` parameter is missing, or its value can be predicted for the target user account, network and [same-site](https://canitakeyoursubdomain.name/) attackers can 1. fixate a `_csrf` cookie in the victim's browser, and 2. forge CSRF tokens that are valid for the victim's session. This allows attackers to bypass the CSRF protection mechanism. As a fix, `@fastify/csrf-protection` starting from version 6.3.0 (and v4.1.0) includes a server-defined secret `hmacKey` that cryptogra...
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.