Miggo Logo

CVE-2021-29624: Lack of protection against cookie tossing attacks in fastify-csrf

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.50115%
Published
5/17/2021
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
fastify-csrfnpm< 3.1.03.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing user-context binding in CSRF token creation/verification. The patches add 'getUserInfo' to both token generation (create) and validation (verify) flows. The modified functions in index.js directly handled CSRF token lifecycle without user-specific data pre-patch, making them the exploitation points. Runtime detection would observe token processing functions without user-context validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs t**t us** **sti*y-*sr* wit* t** "*ou*l* su*mit" m****nism usin* *ooki*s wit* *n *ppli**tion **ploy** **ross multipl* su**om*ins, *.*. "**roku"-styl* pl*t*orm *s * s*rvi**. ### P*t***s V*rsion *.*.* o* t** **sti*y-*sr* *ix*s it.

Reasoning

T** vuln*r**ility st*mm** *rom missin* us*r-*ont*xt *in*in* in *SR* tok*n *r**tion/v*ri*i**tion. T** p*t***s *** '**tUs*rIn*o' to *ot* tok*n **n*r*tion (`*r**t*`) *n* v*li**tion (`v*ri*y`) *lows. T** mo*i*i** *un*tions in `in**x.js` *ir**tly **n*l**