GHSA-QRGF-9GPC-VRXW
Vulnerability from github – Published: 2023-04-20 21:18 – Updated: 2023-05-02 12:31Description
The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions.
@fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. Whenever userInfo parameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a _csrf cookie in the victim's browser, and 2. forge CSRF tokens that are valid for the victim's session. This allows attackers to bypass the CSRF protection mechanism.
As a fix, @fastify/csrf-protection starting from version 6.3.0 (and v4.1.0) includes a server-defined secret hmacKey that cryptographically binds the CSRF token to the value of the _csrf cookie and the userInfo parameter, making tokens non-spoofable by attackers. This protection is effective as long as the userInfo parameter is unique for each user.
Patches
This is patched in version 6.3.0 and v4.1.0.
Workarounds
As a workaround, developers can use a random, non-predictable userInfo parameter for each user.
Credits
- Pedro Adão (@pedromigueladao), Instituto Superior Técnico, University of Lisbon
- Marco Squarcina (@lavish), Security & Privacy Research Unit, TU Wien
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fastify/csrf-protection"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fastify/csrf-protection"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27495"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-20T21:18:51Z",
"nvd_published_at": "2023-04-20T18:15:07Z",
"severity": "MODERATE"
},
"details": "## Description\nThe [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library in combination with `@fastify/cookie` can be bypassed from network and same-site attackers under certain conditions.\n\n`@fastify/csrf-protection` supports an optional `userInfo` parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for [CVE-2021-29624](https://www.cvedetails.com/cve/CVE-2021-29624). Whenever `userInfo` parameter is missing, or its value can be predicted for the target user account, network and [same-site](https://canitakeyoursubdomain.name/) attackers can 1. fixate a `_csrf` cookie in the victim\u0027s browser, and 2. forge CSRF tokens that are valid for the victim\u0027s session. This allows attackers to bypass the CSRF protection mechanism.\n\nAs a fix, `@fastify/csrf-protection` starting from version 6.3.0 (and v4.1.0) includes a server-defined secret `hmacKey` that cryptographically binds the CSRF token to the value of the `_csrf` cookie and the `userInfo` parameter, making tokens non-spoofable by attackers. This protection is effective as long as the `userInfo` parameter is unique for each user.\n\n### Patches\n\nThis is patched in version 6.3.0 and v4.1.0.\n\n### Workarounds\n\nAs a workaround, developers can use a random, non-predictable `userInfo` parameter for each user.\n\n## Credits\n* Pedro Ad\u00e3o (@pedromigueladao), [Instituto Superior T\u00e9cnico, University of Lisbon](https://tecnico.ulisboa.pt/)\n* Marco Squarcina (@lavish), [Security \u0026 Privacy Research Unit, TU Wien](https://secpriv.wien/)",
"id": "GHSA-qrgf-9gpc-vrxw",
"modified": "2023-05-02T12:31:41Z",
"published": "2023-04-20T21:18:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/csrf-protection/security/advisories/GHSA-qrgf-9gpc-vrxw"
},
{
"type": "WEB",
"url": "https://github.com/fastify/csrf-protection/security/advisories/GHSA-rc4q-9m69-gqp8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27495"
},
{
"type": "WEB",
"url": "https://github.com/fastify/csrf-protection/commit/be3e5761f37aa05c7c1ac8ed44499c51ecec8058"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/csrf-protection"
},
{
"type": "WEB",
"url": "https://github.com/fastify/csrf-protection/releases/tag/v4.1.0"
},
{
"type": "WEB",
"url": "https://github.com/fastify/csrf-protection/releases/tag/v6.3.0"
},
{
"type": "WEB",
"url": "https://www.cvedetails.com/cve/CVE-2021-29624"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Bypass of CSRF protection in the presence of predictable userInfo"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.