CVE-2023-29019 – Session fixation in fastify-passport
https://notcve.org/view.php?id=CVE-2023-29019
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passport` in affected versions for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the `@fastify/passport` library for user authentication. The login and user validation are performed by the `authenticate` function. When executing this function, the `sessionId` is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid `sessionId` cookie in the victim's browser and waiting for the victim to log in on the website. • https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11 https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9 https://owasp.org/www-community/attacks/Session_fixation • CWE-384: Session Fixation •
CVE-2023-27495 – Bypass of CSRF protection in the presence of predictable userInfo in @fastify/csrf-protection
https://notcve.org/view.php?id=CVE-2023-27495
@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. Whenever userInfo parameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a _csrf cookie in the victim's browser, and 2. forge CSRF tokens that are valid for the victim's session. • https://github.com/fastify/csrf-protection/commit/be3e5761f37aa05c7c1ac8ed44499c51ecec8058 https://github.com/fastify/csrf-protection/security/advisories/GHSA-qrgf-9gpc-vrxw https://www.cvedetails.com/cve/CVE-2021-29624 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-25576 – @fastify/multipart vulnerable to DoS due to unlimited number of parts
https://notcve.org/view.php?id=CVE-2023-25576
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds. • https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297 https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1 https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1 https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g https://hackerone.com/reports/1816195 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-41919 – Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
https://notcve.org/view.php?id=CVE-2022-41919
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'. • https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9 https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh https://www.npmjs.com/package/%40fastify/csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-39386 – fastify-websocket vulnerable to uncaught exception via crash on malformed packet
https://notcve.org/view.php?id=CVE-2022-39386
@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1.1 (fastify v4) and version 5.0.1 (fastify v3). • https://github.com/fastify/fastify-websocket/security/advisories/GHSA-4pcg-wr6c-h9cq • CWE-248: Uncaught Exception •