You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service.
Patches
Version 3.1.0 of the fastify-csrf fixes it.
See #51 and fastify/csrf#2.
The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.
Impact
Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service.
Patches
Version 3.1.0 of the fastify-csrf fixes it.
See #51 and fastify/csrf#2.
The user of the module would need to supply a
userInfowhen generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.Workarounds
None available.
References
Credits
This vulnerability was found by Xhelal Likaj xhelallikaj20@gmail.com.
For more information
If you have any questions or comments about this advisory: