PT-2022-26149 · Fastify · Fastify
Ry0Tak
·
Published
2022-11-21
·
Updated
2022-11-26
·
CVE-2022-41919
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Fastify versions prior to 3.29.4
Fastify versions prior to 4.10.2
Description
The issue allows an attacker to bypass the
Pre-Flight checking of fetch by using an incorrect Content-Type. This could potentially be used to invoke routes that only accept application/json content type, thus bypassing any CORS protection, and leading to a Cross-Site Request Forgery attack. fetch() requests with Content-Type essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain" are affected.Recommendations
For versions prior to 3.29.4, update to at least version 3.29.4.
For versions prior to 4.10.2, update to at least version 4.10.2.
As a temporary workaround, implement Cross-Site Request Forgery protection using
@fastify/csrf.Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fastify