2 matches found
CVE-2023-29020
CVE-2023-29020 describes a CSRF token fixation flaw in the interaction between @fastify/passport and @fastify/csrf-protection. The issue arises because @fastify/passport does not clear the user session on login, allowing the _csrf token generated before authentication to remain valid across unaut...
CVE-2023-29019
The CVE-2023-29019 issue affects the @fastify/passport package used with @fastify/session. The login flow preserves the sessionId between pre-login and authenticated sessions due to the authenticate function, enabling session fixation by network or same-site attackers who can supply a valid sessi...