@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport` in affected versions, can be bypassed by network and same-site attackers. `fastify/csrf-protection` implements the synchronizer token pattern (using plugins `@fastify/session` and `@fastify/secure-session`) by storing a random value used for CSRF token generation in the `_csrf` attribute of a user's session. The `@fastify/passport` library does not clear the session object upon authentication, preserving the `_csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of `@fastify/passport` include the configuration options: `clearSessionOnLogin (default: true)` and `clearSessionIgnoreFields (default: ['passport', 'session'])` to clear all the session attributes by default, preserving those explicitly defined in `clearSessionIgnoreFields`.
Published 2023-04-21 23:15:20
Updated 2023-05-03 14:42:00
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2023-29020

Exploit prediction scoring system (EPSS) score for CVE-2023-29020

0.08%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-29020

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.5
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
2.8
3.6
NIST
6.5
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
2.8
3.6
GitHub, Inc.

CWE ids for CVE-2023-29020

  • The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
    Assigned by:
    • nvd@nist.gov (Primary)
    • security-advisories@github.com (Secondary)
  • Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
    Assigned by: security-advisories@github.com (Secondary)

References for CVE-2023-29020

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!