VDB
KO
HIGH 8.8

GHSA-49wp-qq6x-g2rf

Cross-site Request Forgery in fastify-csrf

Details

The package fastify-csrf before 3.0.0 has a set of issues that affect its ability to do CSRF protection. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: `cookieOpts: { path: '/', sameSite: true }` 2. The CSRF token was available in the GET query parameter

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / fastify-csrf
Introduced in: 0 Fixed in: 3.0.0
Fix npm install fastify-csrf@3.0.0

References