Cross-Site Request Forgery (CSRF)
CVE-2023-27495
Summary
@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. The package supports an optional userInfo parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. Whenever the userInfo parameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a _csrf cookie in the victim's browser and 2. forge CSRF tokens that are valid for the victim's session. Versions through 4.0.1 and 5.0.0 through 6.2.0 allows attackers to bypass the CSRF protection mechanism. The fix includes a server-defined secret hmacKey that cryptographically binds the CSRF token to the value of the _csrf cookie and the userInfo parameter, making tokens non-spoofable by attackers. This protection is effective as long as the userInfo parameter is unique for each user. Users are advised to upgrade. Users unable to upgrade may use a random, non-predictable userInfo parameter for each user as mitigation. This vulnerability also affects fastify-csrf package version 3.1.0.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- NONE
- NONE
- NONE
CWE-352 - Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is a vulnerability that allows an attacker to make arbitrary requests in an authenticated vulnerable web application and disrupt the integrity of the victim’s session. The impact of a successful CSRF attack may range from minor to severe, depending upon the capabilities exposed by the vulnerable application and privileges of the user. An attacker may force the user to perform state-changing requests like transferring funds, changing their email address or password etc. However, if an administrative level account is affected, it may compromise the whole web application and associated sensitive data.
References
Advisory Timeline
- Published