Cross site request forgery (csrf)

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...

CVE-2020-28482 Cross-site Request Forgery (CSRF)

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...

CVE-2020-28482

CVE-2020-28482 affects the npm package fastify-csrf prior to 3.0.0. The issues: (1) the generated cookie uses insecure defaults and lacks the httpOnly flag (cookieOpts: { path: '/', sameSite: true }), and (2) the CSRF token is exposed in the GET query parameter. This weakens CSRF protections and ...

Cross-site Request Forgery (CSRF)

Overview fastify-csrf is an A plugin for adding CSRF protection to Fastify. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true . Also, the CS...

Fastify Fastify-csrf Cross-Site Request Forgery Vulnerability

Fastify Fastify-csrf is a Javascript-based plugin that provides CSRF protection for Fastify in the Fastify community. A security vulnerability exists in fastify-csrf before 3.0.0 due to an insecure default value being used in the generated cookie, no httpOnly, and CSRF tokens being available in t...

Node.js third-party modules: Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN

I would like to report possible cache poisoning in Fastify It allows an attacker to perform an cache poisoning when Fastify is used in combination with a http cache / CDN. Module module name: Fastify version: 3.x npm page: https://www.npmjs.com/package/fastify Module Description Fast and low...

46c-sector (>=1.0.0 <=1.2.1), @agentframework/cli (>=0.9.6 <=0.11.1) +186 more potentially affected by CVE-2020-8192 via fastify (>=0.21.0 <=2.15.0)

fastify NPM version =0.21.0, =1.0.0, =0.9.6, =0.3.0, =2.0.0, =6.3.1, =1.0.0, =0.1.0, =0.0.1, =1.0.0-alpha.9, =1.0.0-alpha.1, =0.0.3, =1.1.3, =1.2.1 - @gyrfalcon/nuxt =1.0.0 and more Source cves: CVE-2020-8192 Source advisory: OSV:GHSA-XW5P-HW6R-2J98...

GHSA-XW5P-HW6R-2J98 Denial of service in fastify

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion when the allErrors option is used with specially crafted schemas...

Denial of service in fastify

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion when the allErrors option is used with specially crafted schemas...

Fastify Resource Management Error Vulnerability

Fastify is an OpenJS Foundation open source web framework for Node.js. A resource management error vulnerability exists in Fastify versions v2.14.1 and v3.0.0-rc.4. An attacker can exploit this vulnerability to cause resource exhaustion denial of service...

CVE-2020-8192

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion when the allErrors option is used with specially crafted schemas...

CVE-2020-8192

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion when the allErrors option is used with specially crafted schemas...

Denial of service

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion when the allErrors option is used with specially crafted schemas...

CVE-2020-8192

CVE-2020-8192 affects Fastify versions 2.14.1 and 3.0.0-rc.4. The vulnerability is a denial-of-service via resource exhaustion when the AJV-based validation uses the allErrors option and receives specially crafted schemas. The impact described in multiple connected records is that a malicious use...

CVE-2020-8192

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion when the allErrors option is used with specially crafted schemas...

Denial Of Service (DoS)

fastify is vulnerable to denial of service DoS. The default usage of allErrors: true in the ajv configuration allows an attacker to cause a denial of service condition...

Node.js third-party modules: Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS

I would like to report a denial of service vulnerability in fastify It allows to cause a DoS with some schemas that were otherwise assumed to be secure against DoS by their authors Module module name: fastify version: 2.14.1, 3.0.0-rc.4 npm page: https://www.npmjs.com/package/fastify Module...

Information Disclosure

apollo-server-fastify is vulnerable to information disclosure. The vulnerability exists as ApolloServer incorrectly drops the values of this.requestOptions.validationRules when creating a SubscriptionServer...

Information Exposure

Overview Versions of apollo-server-fastify prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their...

Node.js: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests

Summary: Node.js is vulnerable to HTTP denial of service DOS attacks based on delayed requests submission which can make the server unable to accept new connections. Description: An attacker can open an arbitrary number of HTTP connections and keep the server busy by never completing the request...