6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29624

GHSA ID

GHSA-rc4q-9m69-gqp8

EPSS Score

0.50115%

CWE

CWE-352

Published

5/17/2021

Updated

1/28/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29624

CVE-2021-29624:
Lack of protection against cookie tossing attacks in fastify-csrf

Impact

Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service.

Patches

Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.

The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

Workarounds

None available.

References

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf

Credits

This vulnerability was found by Xhelal Likaj xhelallikaj20@gmail.com.

For more information

If you have any questions or comments about this advisory:

Open an issue in fastify-csrf
Email us at hello@matteocollina.com

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29624

GHSA ID

GHSA-rc4q-9m69-gqp8

EPSS Score

0.50115%

CWE

CWE-352

Published

5/17/2021

Updated

1/28/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fastify-csrf	npm	< 3.1.0	3.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing user-context binding in CSRF token creation/verification. The patches add 'getUserInfo' to both token generation (create) and validation (verify) flows. The modified functions in index.js directly handled CSRF token lifecycle without user-specific data pre-patch, making them the exploitation points. Runtime detection would observe token processing functions without user-context validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs t**t us** **sti*y-*sr* wit* t** "*ou*l* su*mit" m****nism usin* *ooki*s wit* *n *ppli**tion **ploy** **ross multipl* su**om*ins, *.*. "**roku"-styl* pl*t*orm *s * s*rvi**. ### P*t***s V*rsion *.*.* o* t** **sti*y-*sr* *ix*s it.

Reasoning

T** vuln*r**ility st*mm** *rom missin* us*r-*ont*xt *in*in* in *SR* tok*n *r**tion/v*ri*i**tion. T** p*t***s *** '**tUs*rIn*o' to *ot* tok*n **n*r*tion (`*r**t*`) *n* v*li**tion (`v*ri*y`) *lows. T** mo*i*i** *un*tions in `in**x.js` *ir**tly **n*l**

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-29624: Lack of protection against cookie tossing attacks in fastify-csrf

Impact

Patches

Workarounds

References

Credits

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-29624:
Lack of protection against cookie tossing attacks in fastify-csrf

Vulnerability Intelligence
Miggo AI