CVE-2021-29624

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

### Impact Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. ### Patches Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains. ### Workarounds None available. ### References 1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html 2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf ### Credits This vulnerability was found by Xhelal Likaj <xhelallikaj20@gmail.com>. ### For more information If you have any questions or comments about this advisory: * Open an issue in [fastify-csrf](https://github.com/fastify/fastify-csrf) * Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)

### Impact Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. ### Patches Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains. ### Workarounds None available. ### References 1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html 2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf ### Credits This vulnerability was found by Xhelal Likaj <xhelallikaj20@gmail.com>. ### For more information If you have any questions or comments about this advisory: * Open an issue in [fastify-csrf](https://github.com/fastify/fastify-csrf) * Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)

fastify-csrf es un plugin de código abierto que ayuda a desarrolladores a proteger su servidor Fastify contra ataques de tipo CSRF.&#xa0;Las versiones de fastify-csrf anterior a versión 3.1.0, presentan un mecanismo de "double submit" usando cookies con una aplicación implementada en múltiples subdominios, por ejemplo, una plataforma de estilo "heroku" como servicio.&#xa0;La versión 3.1.0 de fastify-csrf corrige&#xa0;la vulnerabilidad.&#xa0;El usuario del módulo necesitaría suministrar un "userInfo" cuando se genera el token de tipo CSRF para implementar completamente la protección en su extremo.&#xa0;Esto solo es necesario para aplicaciones alojadas en diferentes subdominios