Homepage

csrf-lite@0.1.1 vulnerabilities

csrf protection for framework-less node sites

  • latest version

    1.0.0

  • latest non vulnerable version

    1.0.0

  • first published

    11 years ago

  • latest version published

    8 years ago

  • licenses detected

  • View csrf-lite package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the csrf-lite package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Non-Constant Time String Comparison

    csrf-lite is a CSRF protection utility for framework-free node sites. Affected versions of the package are vulnerable to a timing attack.

    While the CSRF protection itself works well and increases security, the library uses the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the token are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the CSRF token one character at a time.

    You can read more about timing attacks in Node.js on the Snyk blog: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

    How to fix Non-Constant Time String Comparison?

    Update to version 0.1.2 or higher.

    <=0.1.1
    Go back to all versions of this package