CVE-2022-41919

Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.

Fastify es un framework web con una arquitectura de complementos y gastos generales mínimos. El atacante puede utilizar el "Content-Type" incorrecto para omitir la comprobación "Pre-Flight" de "fetch". Las solicitudes `fetch()` con la esencia de Content-Type como "application/x-www-form-urlencoded", "multipart/form-data" o "text/plain", podrían usarse potencialmente para invocar rutas que solo acepta el tipo de contenido `application/json`, evitando así cualquier protección CORS y, por lo tanto, podría provocar un ataque de Cross-Site Request Forgery (CSRF). Este problema se solucionó en las versiones 4.10.2 y 3.29.4. Como workaround, implemente la protección contra Cross-Site Request Forgery (CSRF) utilizando `@fastify/csrf'.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-30 CVE Reserved
2022-11-22 CVE Published
2024-07-13 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (3)

URL	Tag	Source
https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh	Third Party Advisory
https://www.npmjs.com/package/%40fastify/csrf

URL	Date	SRC

URL	Date	SRC
https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9	2023-11-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fastify Search vendor "Fastify"		Fastify Search vendor "Fastify" for product "Fastify"				>= 3.0.0 < 3.29.4 Search vendor "Fastify" for product "Fastify" and version " >= 3.0.0 < 3.29.4"		node.js		Affected
Fastify Search vendor "Fastify"		Fastify Search vendor "Fastify" for product "Fastify"				>= 4.0.0 < 4.10.2 Search vendor "Fastify" for product "Fastify" and version " >= 4.0.0 < 4.10.2"		node.js		Affected