CVE-2023-29020: CSRF token fixation in fastify-passport
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.21943%
CWE
Published
4/21/2023
Updated
11/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @fastify/passport | npm | < 1.1.0 | 1.1.0 |
| @fastify/passport | npm | >= 2.0.0, < 2.3.0 | 2.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from session persistence across authentication boundaries. The SecureSessionManager.logIn function was vulnerable because it handled user authentication without clearing existing session attributes. The commit diff shows this function was modified to add session cleanup logic (regenerating session/clearing fields) when clearSessionOnLogin is enabled. Before this fix, the absence of session cleanup allowed preservation of the _csrf value between pre-login and authenticated sessions, enabling CSRF token fixation. The direct modification of this function in the security patch confirms its role in the vulnerability.