Cross site request forgery (csrf)

2021-01-1915:15:00

PRIOn knowledge base

www.prio-n.com

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.5%

JSON

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: ‘/’, sameSite: true } 2. The CSRF token was available in the GET query parameter

CPENameOperatorVersion
fastify-csrflt3.0.0

CPE	Name	Operator	Version
	fastify-csrf	lt	3.0.0

References

github.com/fastify/fastify-csrf/pull/26

snyk.io/vuln/SNYK-JS-FASTIFYCSRF-1062044