Cross-site Request Forgery (CSRF) The advisory has been revoked - it doesn't affect any version of package csurf Open this link in a new tab
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-CSURF-3021144
- published 11 Sep 2022
- disclosed 11 Sep 2022
- credit Adrian Tiron
Amendment
This was deemed not a vulnerability.
Overview
csurf is a Node.js CSRF protection middleware
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). After consultation with the maintainer and further technical review of the proof-of-concept provided, this issue was found to not be directly exploitable, nor an issue that could reasonably be relevant while using the library in its documented and intended manner, as such we have revoked this advisory in it's entirety.
Note: The original advisory was issued based on a published third party report of this issue however after further research this report was found to not contain an example of reproducible and directly exploitable code.
We thank the maintainer of CSURF for engaging with the team in discussing this matter in order to allow us to rectify the issue, and apologise for the concern caused by the original advisory.