VYPR
Moderate severityNVD Advisory· Published May 19, 2021· Updated Aug 3, 2024

Lack of protection against cookie tossing attacks in fastify-csrf

CVE-2021-29624

Description

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fastify-csrfnpm
< 3.1.03.1.0

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.