GHSA-qrgf-9gpc-vrxw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qrgf-9gpc-vrxw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qrgf-9gpc-vrxw/GHSA-qrgf-9gpc-vrxw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qrgf-9gpc-vrxw
- Aliases
- Related
- Published
- 2023-04-20T21:18:51Z
- Modified
- 2023-11-08T04:12:05.408256Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Bypass of CSRF protection in the presence of predictable userInfo
- Details
-
Description
The CSRF protection enforced by the
@fastify/csrf-protectionlibrary in combination with@fastify/cookiecan be bypassed from network and same-site attackers under certain conditions.@fastify/csrf-protectionsupports an optionaluserInfoparameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. WheneveruserInfoparameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a_csrfcookie in the victim's browser, and 2. forge CSRF tokens that are valid for the victim's session. This allows attackers to bypass the CSRF protection mechanism.As a fix,
@fastify/csrf-protectionstarting from version 6.3.0 (and v4.1.0) includes a server-defined secrethmacKeythat cryptographically binds the CSRF token to the value of the_csrfcookie and theuserInfoparameter, making tokens non-spoofable by attackers. This protection is effective as long as theuserInfoparameter is unique for each user.Patches
This is patched in version 6.3.0 and v4.1.0.
Workarounds
As a workaround, developers can use a random, non-predictable
userInfoparameter for each user.Credits
- Pedro Adão (@pedromigueladao), Instituto Superior Técnico, University of Lisbon
- Marco Squarcina (@lavish), Security & Privacy Research Unit, TU Wien
- Database specific
{ "github_reviewed_at": "2023-04-20T21:18:51Z", "cwe_ids": [ "CWE-352" ], "nvd_published_at": "2023-04-20T18:15:07Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/fastify/csrf-protection/security/advisories/GHSA-qrgf-9gpc-vrxw
- https://github.com/fastify/csrf-protection/security/advisories/GHSA-rc4q-9m69-gqp8
- https://nvd.nist.gov/vuln/detail/CVE-2023-27495
- https://github.com/fastify/csrf-protection/commit/be3e5761f37aa05c7c1ac8ed44499c51ecec8058
- https://github.com/fastify/csrf-protection
- https://github.com/fastify/csrf-protection/releases/tag/v4.1.0
- https://github.com/fastify/csrf-protection/releases/tag/v6.3.0
- https://www.cvedetails.com/cve/CVE-2021-29624
Affected packages
npm / @fastify/csrf-protection
Package
- Name
- @fastify/csrf-protection
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/csrf-protection
npm / @fastify/csrf-protection
Package
- Name
- @fastify/csrf-protection
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/csrf-protection