Pedromigueladao

**Name of the Vulnerable Software and Affected Versions** @fastify/passport versions prior to the version that regenerates sessionId upon login **Description** Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. The login and user validation are performed by the authenticate function. When executing this function, the sessionId is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid sessionId cookie in the victim's browser and waiting for the victim to log in on the website. **Recommendations** As a solution, upgrade to a newer version of @fastify/passport that regenerates sessionId upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. For versions prior to the fixed version, consider disabling the authenticate function until a patch is available, or restrict access to the @fastify/session module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** @fastify/passport versions prior to the version that includes the configuration options clearSessionOnLogin and clearSessionIgnoreFields **Description** The CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers. The @fastify/csrf-protection library implements the synchronizer token pattern by storing a random value used for CSRF token generation in the ` csrf` attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the ` csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. **Recommendations** As a solution, update @fastify/passport to a version that includes the configuration options clearSessionOnLogin and clearSessionIgnoreFields, and set clearSessionOnLogin to true to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields. Consider temporarily disabling the `@fastify/csrf-protection` library until a patch is available, or restrict access to the vulnerable module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** @fastify/csrf-protection versions prior to 4.1.0 @fastify/csrf-protection versions prior to 6.3.0 **Description** The CSRF protection mechanism in the @fastify/csrf-protection library can be bypassed by network and same-site attackers under certain conditions, allowing them to fixate a csrf cookie in the victim's browser and forge valid CSRF tokens. This is possible when the userInfo parameter is missing or its value can be predicted for the target user account. The issue can be exploited by attackers to bypass the CSRF protection. **Recommendations** For versions prior to 4.1.0, upgrade to version 4.1.0 or later. For versions prior to 6.3.0, upgrade to version 6.3.0 or later. As a temporary mitigation for users unable to upgrade, use a random, non-predictable `userInfo` parameter for each user.