Cross-site Request Forgery (CSRF) The advisory has been revoked - it doesn't affect any version of package csurf Open this link in a new tab


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-CSURF-3021144
  • published 11 Sep 2022
  • disclosed 11 Sep 2022
  • credit Adrian Tiron

Introduced: 11 Sep 2022

CVE NOT AVAILABLE CWE-352 Open this link in a new tab

Amendment

This was deemed not a vulnerability.

Overview

csurf is a Node.js CSRF protection middleware

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). After consultation with the maintainer and further technical review of the proof-of-concept provided, this issue was found to not be directly exploitable, nor an issue that could reasonably be relevant while using the library in its documented and intended manner, as such we have revoked this advisory in it's entirety.

Note: The original advisory was issued based on a published third party report of this issue however after further research this report was found to not contain an example of reproducible and directly exploitable code.

We thank the maintainer of CSURF for engaging with the team in discussing this matter in order to allow us to rectify the issue, and apologise for the concern caused by the original advisory.