Cross-site Request Forgery (CSRF) Affecting fastify package, versions >=3.0.0 <3.29.4 >=4.0.0 <4.10.2


0.0
medium

Snyk CVSS

    Attack Complexity High
    User Interaction Required
Expand this section
NVD
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-FASTIFY-3136527
  • published 22 Nov 2022
  • disclosed 21 Nov 2022
  • credit Unknown

How to fix?

Upgrade fastify to version 3.29.4, 4.10.2 or higher.

Overview

fastify is an overhead web framework, for Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). An attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

References