📦

fastify-csrf

Vendor: fastify

Actively Exploited 0 CISA KEV List

PoC / Exploits 0 Code Available

Total RCEs 0 Remote Access

Total CVEs 2 Total Indexed

Avg. EPSS 0.24% Exploit Prob.

Latest CVE CVE-2021-29624 May 19

Security Vulnerability Index

Page 1 / 1

6.5 CVSS

CVE-2021-29624

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

EPSS: 0.17%

Severity: MEDIUM

May 19, 2021

5.9 CVSS

CVE-2020-28482

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter

EPSS: 0.31%

Severity: MEDIUM

Jan 19, 2021

Displaying 2 of 2 Total Entries

Total 1 Sections