CVE-2016-10535
Description
csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses ===, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16*18)288 guesses, instead of the 16^18 guesses required were the timing attack not present.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
csrf-lite uses a non-constant-time string comparison for CSRF tokens, enabling a timing attack that reduces the effective secret entropy to 288 guesses.
Vulnerability
csrf-lite is a cross-site request forgery (CSRF) protection library for framework-less Node.js sites. Versions before 0.1.2 use the === operator for comparing CSRF tokens, which is a fail-first string comparison instead of a constant-time comparison. This design flaw allows an attacker to exploit timing differences to guess the secret token. [1][2]
Exploitation
An attacker needs network proximity to measure subtle timing differences in the server's response. By sending requests with guessed token values and observing the response times, they can deduce each character of the secret sequentially. Under favorable network conditions, the secret can be guessed in no more than (16*18) = 288 guesses, compared to the 16^18 guesses required if a constant-time comparison were used. [1][2]
Impact
Successful exploitation enables the attacker to forge valid CSRF tokens, thereby bypassing the CSRF protection. This allows the attacker to perform actions on behalf of an authenticated user, leading to potential unauthorized state changes, such as modifying account settings or submitting forms. [1][2]
Mitigation
The vulnerability was fixed in version 0.1.2 of csrf-lite, which replaced the === comparison with a constant-time string comparison using the scmp library. [3] Users should update to version 0.1.2 or later. No workarounds are available for earlier versions. [2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
csrf-litenpm | < 0.1.2 | 0.1.2 |
Affected products
3- HackerOne/csrf-lite node modulev5Range: <=0.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-hjhr-r3gq-qvp6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10535ghsaADVISORY
- github.com/isaacs/csrf-lite/pull/1ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/94mitrex_refsource_MISC
- www.npmjs.com/advisories/94ghsaWEB
News mentions
0No linked articles in our index yet.