@fastify/passport@2.2.0 vulnerabilities

Simple, unobtrusive authentication for Fastify.

latest version

3.0.1
latest non vulnerable version

3.0.1
first published

3 years ago
latest version published

2 months ago
licenses detected
- MIT
  >=0
View @fastify/passport package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @fastify/passport package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-site Request Forgery (CSRF) @fastify/passport is a Simple, unobtrusive authentication for Fastify. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). CSRF protection is implemented using a synchronizer token pattern, by storing a random value used for CSRF token generation in the `_csrf` attribute of a user's session. The `@fastify/passport` library does not clear the session object upon authentication, preserving the `_csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. How to fix Cross-site Request Forgery (CSRF)? Upgrade `@fastify/passport` to version 1.1.0, 2.3.0 or higher.	<1.1.0 >=2.0.0 <2.3.0
H Session Fixation @fastify/passport is a Simple, unobtrusive authentication for Fastify. Affected versions of this package are vulnerable to Session Fixation. `fastify` applications rely on the `@fastify/passport` library for user authentication. The login and user validation are performed by the `authenticate` function. When executing this function, the `sessionId` is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid `sessionId` cookie in the victim's browser and wait for the victim to log in on the website. How to fix Session Fixation? Upgrade `@fastify/passport` to version 1.1.0, 2.3.0 or higher.	<1.1.0 >=2.0.0 <2.3.0

Cross-site Request Forgery (CSRF)

@fastify/passport is a Simple, unobtrusive authentication for Fastify.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). CSRF protection is implemented using a synchronizer token pattern, by storing a random value used for CSRF token generation in the _csrf attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade @fastify/passport to version 1.1.0, 2.3.0 or higher.

<1.1.0 >=2.0.0 <2.3.0

Session Fixation

@fastify/passport is a Simple, unobtrusive authentication for Fastify.

Affected versions of this package are vulnerable to Session Fixation. fastify applications rely on the @fastify/passport library for user authentication. The login and user validation are performed by the authenticate function. When executing this function, the sessionId is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid sessionId cookie in the victim's browser and wait for the victim to log in on the website.

How to fix Session Fixation?

Upgrade @fastify/passport to version 1.1.0, 2.3.0 or higher.

<1.1.0 >=2.0.0 <2.3.0

Go back to all versions of this package

@fastify/passport@2.2.0 vulnerabilities

Simple, unobtrusive authentication for Fastify.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities