CVE-2021-29624 : fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fa

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

Published 2021-05-19 22:15:08

Updated 2022-10-25 20:56:25

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Exploit prediction scoring system (EPSS) score for CVE-2021-29624

Probability of exploitation activity in the next 30 days: 0.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-29624

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-29624

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigned by: nvd@nist.gov (Primary)
CWE-565 Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2021-29624

https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8

Lack of protection against cookie tossing attacks in fastify-csrf · Advisory · fastify/fastify-csrf · GitHub
Patch;Third Party Advisory
https://github.com/fastify/fastify-csrf/pull/51

Support userInfo by mcollina · Pull Request #51 · fastify/fastify-csrf · GitHub
Patch;Third Party Advisory
https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf

Third Party Advisory
https://github.com/fastify/csrf/pull/2

Add utilities to prevent cookie tossing and replay attacks by mcollina · Pull Request #2 · fastify/csrf · GitHub
Patch;Third Party Advisory
https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0

Release v3.1.0 · fastify/fastify-csrf · GitHub
Third Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2021-29624

Fastify » Fastify-csrf » For Node.js
Versions before (<) 3.1.0
cpe:2.3:a:fastify:fastify-csrf:*:*:*:*:*:node.js:*:*
Matching versions

Vulnerability Details : CVE-2021-29624

Exploit prediction scoring system (EPSS) score for CVE-2021-29624

CVSS scores for CVE-2021-29624

CWE ids for CVE-2021-29624

References for CVE-2021-29624

Products affected by CVE-2021-29624