Fastify Csrf

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:fastify:fastify-csrf:*:*:*:*:*:node.js:*:*

part: a version: * update: *

VendorFastify (51747187-798b-5030-972d-b19db43759b4)
ProductFastify Csrf (9b928153-309d-5aa9-9821-9b22c658044c)
Edition*
Language*
Software edition*
Target softwarenode.js
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2021-29624 vulnerable 2026-06-03 14:44:20.325036 Lack of protection against cookie tossing attacks in fastify-csrf
MEDIUM (6.5)
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.
Published: 2021-05-19T21:15:28.000Z
Updated: 2024-08-03T22:11:06.350Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-28482 vulnerable 2026-06-03 14:42:21.377879 Cross-site Request Forgery (CSRF)
MEDIUM (5.9)
This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter
Published: 2021-01-19T14:50:18.191Z
Updated: 2024-09-16T19:05:34.497Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.