Headline
GHSA-pj2c-h76w-vv6f: tiny-csrf has openly visible CSRF tokens
Impact
Weak encryption on CSRF so tokens can be read by malicious attackers.
Patches
Problems have been patched as of v1.1.0
Workarounds
Upgrade to v1.1.0
References
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
For more information
Submit an issue at the github repo
Package
npm tiny-csrf (npm)
Affected versions
< 1.1.0
Patched versions
1.1.0
Description
Impact
Weak encryption on CSRF so tokens can be read by malicious attackers.
Patches
Problems have been patched as of v1.1.0
Workarounds
Upgrade to v1.1.0
References
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
For more information
Submit an issue at the github repo
References
- GHSA-pj2c-h76w-vv6f
- valexandersaulys/tiny-csrf@8eead6d
valexandersaulys published the maintainer security advisory
Oct 7, 2022
Related news
tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.