Skip to main content

Cross-Site Request Forgery (CSRF)


Severity High
Score 8.8/10


The package @fastify/oauth2 used a statically generated state parameter at startup time and was used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. In patched version changes the default behavior to store the state in a cookie with the "http-only" and "same-site=lax" attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the "checkStateFunction" function, which now accepts the full Request object. This vulnerability affects versions prior to 7.2.0.

  • LOW
  • HIGH
  • NONE
  • HIGH
  • HIGH

CWE-352 - Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a vulnerability that allows an attacker to make arbitrary requests in an authenticated vulnerable web application and disrupt the integrity of the victim’s session. The impact of a successful CSRF attack may range from minor to severe, depending upon the capabilities exposed by the vulnerable application and privileges of the user. An attacker may force the user to perform state-changing requests like transferring funds, changing their email address or password etc. However, if an administrative level account is affected, it may compromise the whole web application and associated sensitive data.

Advisory Timeline

  • Published