Cross-site Request Forgery (CSRF) The advisory has been revoked - it doesn't affect any version of package csurf (opens in a new tab)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-CSURF-3021144
- published11 Sept 2022
- disclosed11 Sept 2022
- creditAdrian Tiron
Introduced: 11 Sep 2022
CVE NOT AVAILABLE CWE-352 (opens in a new tab)Amendment
This was deemed not a vulnerability.
Overview
csurf is a Node.js CSRF protection middleware
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). After consultation with the maintainer and further technical review of the proof-of-concept provided, this issue was found to not be directly exploitable, nor an issue that could reasonably be relevant while using the library in its documented and intended manner, as such we have revoked this advisory in it's entirety.
Note: The original advisory was issued based on a published third party report of this issue however after further research this report was found to not contain an example of reproducible and directly exploitable code.
We thank the maintainer of CSURF for engaging with the team in discussing this matter in order to allow us to rectify the issue, and apologise for the concern caused by the original advisory.