CVE-2021-29624
Summary
| CVE | CVE-2021-29624 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-05-19 22:15:00 UTC |
|---|
| Updated | 2022-10-25 20:56:00 UTC |
|---|
| Description | fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Release v3.1.0 · fastify/fastify-csrf · GitHub |
MISC |
github.com |
|
| Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series |
MISC |
cheatsheetseries.owasp.org |
|
| Add utilities to prevent cookie tossing and replay attacks by mcollina · Pull Request #2 · fastify/csrf · GitHub |
MISC |
github.com |
|
| Lack of protection against cookie tossing attacks in fastify-csrf · Advisory · fastify/fastify-csrf · GitHub |
CONFIRM |
github.com |
|
| Support userInfo by mcollina · Pull Request #51 · fastify/fastify-csrf · GitHub |
MISC |
github.com |
|
| owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submi... |
MISC |
owasp.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982378 Nodejs (npm) Security Update for @fastify/csrf (GHSA-rc4q-9m69-gqp8)
