CVE-2020-28482

Name of the Vulnerable Software and Affected Versions: fastify-csrf versions prior to 3.0.0

Description: The issue affects the fastify-csrf package, where the generated cookie uses insecure defaults and lacks the httpOnly flag, as seen in cookieOpts: { path: '/', sameSite: true }. Additionally, the CSRF token is available in the GET query parameter. This set of issues compromises the package's ability to provide CSRF protection.

Recommendations: For versions prior to 3.0.0, update to version 3.0.0 or later to resolve the issue. As a temporary workaround, consider setting the httpOnly flag on the cookie and restricting access to the CSRF token in the GET query parameter.