Cross site request forgery token fixation in fastify-passport
Description
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers. fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of @fastify/passport include the configuration options: clearSessionOnLogin (default: true) and clearSessionIgnoreFields (default: ['passport', 'session']) to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fastify/passportnpm | < 1.1.0 | 1.1.0 |
@fastify/passportnpm | >= 2.0.0, < 2.3.0 | 2.3.0 |
Affected products
2- Range: < 1.1.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2ccf-ffrj-m4qwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29020ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.htmlghsax_refsource_MISCWEB
- github.com/fastify/fastify-passport/commit/07c90feab9cba0dd4779e47cfb0717a7e2f01d3dghsax_refsource_MISCWEB
- github.com/fastify/fastify-passport/security/advisories/GHSA-2ccf-ffrj-m4qwghsax_refsource_CONFIRMWEB
- owasp.org/www-community/attacks/csrfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.