CVE-2023-29020

Name of the Vulnerable Software and Affected Versions @fastify/passport versions prior to the version that includes the configuration options clearSessionOnLogin and clearSessionIgnoreFields

Description The CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers. The @fastify/csrf-protection library implements the synchronizer token pattern by storing a random value used for CSRF token generation in the csrf attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates.

Recommendations As a solution, update @fastify/passport to a version that includes the configuration options clearSessionOnLogin and clearSessionIgnoreFields, and set clearSessionOnLogin to true to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields. Consider temporarily disabling the @fastify/csrf-protection library until a patch is available, or restrict access to the vulnerable module to minimize the risk of exploitation.