GitHub_MCVELIST:CVE-2022-41919CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
8.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
44.8%
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as “application/x-www-form-urlencoded”, “multipart/form-data”, or “text/plain”, could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf’.
CNA Affected
[
{
"vendor": "fastify",
"product": "fastify",
"versions": [
{
"version": ">= 4.0.0, < 4.10.2",
"status": "affected"
},
{
"version": ">= 3.0.0, < 3.29.4",
"status": "affected"
}
]
}
]Related
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
8.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
44.8%