High severityNVD Advisory· Published Jan 19, 2021· Updated Sep 16, 2024
Cross-site Request Forgery (CSRF)
CVE-2020-28482
Description
This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fastify-csrfnpm | < 3.0.0 | 3.0.0 |
Affected products
2- fastify-csrf/fastify-csrfdescription
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-49wp-qq6x-g2rfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28482ghsaADVISORY
- github.com/fastify/fastify-csrf/commit/3c9de36e9e73ce0eda9207f84f2ac0243e1f5253ghsaWEB
- github.com/fastify/fastify-csrf/pull/26ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-FASTIFYCSRF-1062044ghsax_refsource_MISCWEB
- www.npmjs.com/package/fastify-csrfghsaWEB
News mentions
0No linked articles in our index yet.