@fastify/csrf-protection@6.1.0 vulnerabilities

A plugin for adding CSRF protection to Fastify.

Direct Vulnerabilities

Known vulnerabilities in the @fastify/csrf-protection package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Request Forgery (CSRF)

@fastify/csrf-protection is an A plugin for adding CSRF protection to Fastify.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) such that whenever userInfo parameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a _csrf cookie in the victim's browser, and 2. forge CSRF tokens that are valid for the victim's session. This allows attackers to bypass the CSRF protection mechanism.

Note: This issue is exploitable when the library in combination with @fastify/cookie

How to fix Cross-site Request Forgery (CSRF)?

Upgrade @fastify/csrf-protection to version 4.1.0, 6.3.0 or higher.

<4.1.0 >=5.0.0 <6.3.0