5 matches found
@flowforge/flowforge (>=0.9.0 <=0.10.0), schwing (>=0.2.14 <=0.2.26) potentially affected by CVE-2021-29624 +1 more via @fastify/csrf-protection (=5.1.0)
@fastify/csrf-protection NPM version =5.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fastify/csrf-protection and may be impacted: - @flowforge/flowforge =0.9.0, =0.2.14, =0.2.26 Source cves: CVE-2021-29624, CVE-2023-27495 Source advisory:...
GHSA-QRGF-9GPC-VRXW Bypass of CSRF protection in the presence of predictable userInfo
Description The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the use...
CVE-2021-29624 Lack of protection against cookie tossing attacks in fastify-csrf
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...
cookie tossing attack
Overview Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Recommendation Upgrade to version 3.1.0 or later References - CVE - GitHub Advisory...
@nodosjs/view-extension (=0.0.43) potentially affected by CVE-2021-29624 via fastify-csrf (=2.0.0)
fastify-csrf NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on fastify-csrf and may be impacted: - @nodosjs/view-extension =0.0.43 Source cves: CVE-2021-29624 Source advisory: OSV:GHSA-RC4Q-9M69-GQP8...