CVE-2021-29624

CVE-2021-29624 concerns fastify-csrf. Older releases (pre-3.1.0) use a double-submitted cookie CSRF mechanism across subdomains, which is addressed in 3.1.0. The vulnerability involves the optional userInfo parameter that binds the CSRF token to the user; if userInfo is missing or predictable, ne...

CVE-2020-28482

CVE-2020-28482 affects the npm package fastify-csrf prior to 3.0.0. The issues: (1) the generated cookie uses insecure defaults and lacks the httpOnly flag (cookieOpts: { path: '/', sameSite: true }), and (2) the CSRF token is exposed in the GET query parameter. This weakens CSRF protections and ...