HIGH 8.8
GHSA-49wp-qq6x-g2rf
Cross-site Request Forgery in fastify-csrf
상세
The package fastify-csrf before 3.0.0 has a set of issues that affect its ability to do CSRF protection. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: `cookieOpts: { path: '/', sameSite: true }` 2. The CSRF token was available in the GET query parameter
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://nvd.nist.gov/vuln/detail/CVE-2020-28482 [ADVISORY]
- https://github.com/fastify/fastify-csrf/pull/26 [WEB]
- https://github.com/fastify/fastify-csrf/commit/3c9de36e9e73ce0eda9207f84f2ac0243e1f5253 [WEB]
- https://github.com/fastify/fastify-csrf [PACKAGE]
- https://snyk.io/vuln/SNYK-JS-FASTIFYCSRF-1062044 [WEB]
- https://www.npmjs.com/package/fastify-csrf [WEB]