@fastify/passport is vulnerable to Cross-site Request Forgery (CSRF). When a user logs in, the library doesn’t remove the session object, keeping the _csrf
property in tact across unauthenticated and authorized sessions. CSRF tokens created prior to authentication are therefore still valid. Thus, network and same-site attackers can acquire a CSRF token for their pre-session, fixate that pre-session in the victim’s browser via cookie throwing, and then carry out a CSRF attack once the victim authenticates. Note that the vulnerability is only applicable if @fastify/csrf-protection
is used for CSRF protection.
cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
github.com/advisories/GHSA-2ccf-ffrj-m4qw
github.com/fastify/fastify-passport/commit/07c90feab9cba0dd4779e47cfb0717a7e2f01d3d
github.com/fastify/fastify-passport/commit/52f9f6ebb6da6e3b56578e4ea17379b6d0f6645e
github.com/fastify/fastify-passport/pull/844
github.com/fastify/fastify-passport/security/advisories/GHSA-2ccf-ffrj-m4qw
owasp.org/www-community/attacks/csrf