GHSA-3fjj-p79j-c9hh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3fjj-p79j-c9hh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-3fjj-p79j-c9hh/GHSA-3fjj-p79j-c9hh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3fjj-p79j-c9hh
- Aliases
- Related
- Published
- 2022-11-21T22:28:11Z
- Modified
- 2023-11-08T04:10:35.631515Z
- Severity
-
- 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Fastify: Incorrect Content-Type parsing can lead to CSRF attack
- Details
-
Impact
The attacker can use the incorrect
Content-Typeto bypass thePre-Flightchecking offetch.fetch()requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only acceptsapplication/jsoncontent type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.Patches
For
4.xusers, please update to at least4.10.2For3.xusers, please update to at least3.29.4Workarounds
Implement Cross-Site Request Forgery protection using
@fastify/csrf.References
Check out the HackerOne report: https://hackerone.com/reports/1763832.
For more information
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2022-11-21T22:28:11Z", "cwe_ids": [ "CWE-352" ], "nvd_published_at": "2022-11-22T20:15:00Z", "severity": "MODERATE" }- References
Affected packages
npm / fastify
Package
- Name
- fastify
- View open source insights on deps.dev
- Purl
- pkg:npm/fastify
npm / fastify
Package
- Name
- fastify
- View open source insights on deps.dev
- Purl
- pkg:npm/fastify