CVE-2021-22964

A redirect vulnerability in the fastify-static module version = 4.2.4 and 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the...

CVE-2021-22964

CVE-2021-22964 describes a redirect vulnerability in the fastify-static module (versions >=4.2.4 and

Fastify-Static 输入验证错误漏洞

Fastify-Static is a plugin. It is used to serve static files as soon as possible. A security vulnerability exists in versions of the fastify-static module prior to 4.2.4, which can be exploited by an attacker to redirect a user to an arbitrary website using a double slash followed by a domain...

Fastify-Static 输入验证错误漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in the fastify-static module versions 4.2.4 through 4.4.1, which can be exploited by an attacker to redirect a user to an arbitrary website using a double-slash followed...

@wmfs/tymly-fastify-plugin (>=1.50.0 <=1.51.0), egg-bag (>=1.44.43 <=1.45.11) potentially affected by CVE-2021-22964 via fastify-static (>=4.2.4 <=4.4.0)

fastify-static NPM version =4.2.4, =1.50.0, =1.44.43, =1.45.11 Source cves: CVE-2021-22964 Source advisory: OSV:GHSA-PGH6-M65R-2RHQ...

DOS and Open Redirect with user input

Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e. A DOS vulnerability is possible if the URL contains inval...

GHSA-PGH6-M65R-2RHQ DOS and Open Redirect with user input

Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e. A DOS vulnerability is possible if the URL contains inval...

Fastify: 1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch

Summary: When fastify-static is mounted at root and registered the option redirect: true default of redirect option is false, the following line directly feed user's input which is req.raw.url to URL API without try/catch: https://github.com/fastify/fastify-static/blob/master/index.jsL439. A remo...

@acot/acot-config (>=0.0.4 <=0.0.8), @acot/acot-preset-axe (>=0.0.4 <=0.0.8) +253 more potentially affected by CVE-2021-22963 via fastify-static (>=0.10.1 <=4.2.3)

fastify-static NPM version =0.10.1, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =1.1.0, =1.0.0, =1.0.1, =1.0.0-beta.1, =0.1.1-alpha.1, =0.1.0, =0.1.0, =1.0.0, =1.10.0 and more Source cves: CVE-2021-22963 Source advisory: OSV:GHSA-P6VG-P826-QP3V...

URL Redirection to Untrusted Site ('Open Redirect') in fastify-static

Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e. The issue shows up on all the fastify-static applications that set...

GHSA-P6VG-P826-QP3V URL Redirection to Untrusted Site ('Open Redirect') in fastify-static

Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e. The issue shows up on all the fastify-static applications that set...

Fastify: Open redirect in fastify-static via mishandled user's input when attempt to redirect

Summary: When fastify-static is mounted at root and the register option redirect: true, the following 2 lines cause open redirect bug: https://github.com/fastify/fastify-static/blob/master/index.jsL156-L157. A remote attackers can redirect users to arbitrary web sites via a double forward slash:...

CVE-2021-29624

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...

CVE-2021-29624

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...

Cross site request forgery (csrf)

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...

CVE-2021-29624 Lack of protection against cookie tossing attacks in fastify-csrf

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...

CVE-2021-29624

CVE-2021-29624 concerns fastify-csrf. Older releases (pre-3.1.0) use a double-submitted cookie CSRF mechanism across subdomains, which is addressed in 3.1.0. The vulnerability involves the optional userInfo parameter that binds the CSRF token to the user; if userInfo is missing or predictable, ne...

Cross-site Request Forgery (CSRF)

fastify-csrf is vulnerable to Cross-site Request Forgery CSRF. The vulnerability exists when fastify-csrf is used with the "double submit" mechanism using cookies with an application deployed across multiple subdomains...

Fastify 跨站请求伪造漏洞

Fastify is an open source web framework for Node.js from the OpenJS Openjs Foundation. Node.js fastify suffers from a security vulnerability that allows an attacker to trigger cross-site request forgery via Cookie Double Submit in Node.js fastify-csrf in order to force the victim to perform an...

cookie tossing attack

Overview Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Recommendation Upgrade to version 3.1.0 or later References - CVE - GitHub Advisory...