GHSA-2ccf-ffrj-m4qw

Suggest an improvement
Source
https://github.com/advisories/GHSA-2ccf-ffrj-m4qw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-2ccf-ffrj-m4qw/GHSA-2ccf-ffrj-m4qw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2ccf-ffrj-m4qw
Aliases
Related
Published
2023-04-21T22:32:47Z
Modified
2023-11-08T04:12:16.480712Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
CSRF token fixation in fastify-passport
Details

The CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers.

Details

fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session.

The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates.

Fix

As a solution, newer versions of @fastify/passport include the configuration options

  • clearSessionOnLogin (default: true) and
  • clearSessionIgnoreFields (default: ['session'])

to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields.

Credits

Database specific
{
    "cwe_ids": [
        "CWE-352"
    ],
    "nvd_published_at": "2023-04-21T23:15:20Z",
    "github_reviewed_at": "2023-04-21T22:32:47Z",
    "github_reviewed": true,
    "severity": "MODERATE"
}
References

Affected packages

npm / @fastify/passport

Package

Name
@fastify/passport
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/passport

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0

npm / @fastify/passport

Package

Name
@fastify/passport
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/passport

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.3.0