The CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers.
fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session.
The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates.
As a solution, newer versions of @fastify/passport include the configuration options
clearSessionOnLogin (default: true) andclearSessionIgnoreFields (default: ['session'])to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields.
| Score | Percentile |
|---|---|
| 0.08% | 24.48% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2ccf-ffrj-m4qw ↗ |
| CVE | CVE-2023-29020 ↗ |
| CWE id | Name |
|---|---|
| CWE-352 | Cross-Site Request Forgery (CSRF) |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | @fastify/passport | < 1.1.0 | 1.1.0 | — |
| npm | @fastify/passport | >= 2.0.0, < 2.3.0 | 2.3.0 | — |