// For flags

CVE-2022-41919

Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.

Fastify es un framework web con una arquitectura de complementos y gastos generales mínimos. El atacante puede utilizar el "Content-Type" incorrecto para omitir la comprobación "Pre-Flight" de "fetch". Las solicitudes `fetch()` con la esencia de Content-Type como "application/x-www-form-urlencoded", "multipart/form-data" o "text/plain", podrían usarse potencialmente para invocar rutas que solo acepta el tipo de contenido `application/json`, evitando así cualquier protección CORS y, por lo tanto, podría provocar un ataque de Cross-Site Request Forgery (CSRF). Este problema se solucionó en las versiones 4.10.2 y 3.29.4. Como workaround, implemente la protección contra Cross-Site Request Forgery (CSRF) utilizando `@fastify/csrf'.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-30 CVE Reserved
  • 2022-11-22 CVE Published
  • 2024-07-13 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fastify
Search vendor "Fastify"
Fastify
Search vendor "Fastify" for product "Fastify"
>= 3.0.0 < 3.29.4
Search vendor "Fastify" for product "Fastify" and version " >= 3.0.0 < 3.29.4"
node.js
Affected
Fastify
Search vendor "Fastify"
Fastify
Search vendor "Fastify" for product "Fastify"
>= 4.0.0 < 4.10.2
Search vendor "Fastify" for product "Fastify" and version " >= 4.0.0 < 4.10.2"
node.js
Affected