CVE-2023-27495

Name of the Vulnerable Software and Affected Versions @fastify/csrf-protection versions prior to 4.1.0 @fastify/csrf-protection versions prior to 6.3.0

Description The CSRF protection mechanism in the @fastify/csrf-protection library can be bypassed by network and same-site attackers under certain conditions, allowing them to fixate a csrf cookie in the victim's browser and forge valid CSRF tokens. This is possible when the userInfo parameter is missing or its value can be predicted for the target user account. The issue can be exploited by attackers to bypass the CSRF protection.

Recommendations For versions prior to 4.1.0, upgrade to version 4.1.0 or later. For versions prior to 6.3.0, upgrade to version 6.3.0 or later. As a temporary mitigation for users unable to upgrade, use a random, non-predictable userInfo parameter for each user.