6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29020

GHSA ID

GHSA-2ccf-ffrj-m4qw

EPSS Score

0.21943%

CWE

CWE-352

Published

4/21/2023

Updated

11/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29020

CVE-2023-29020: CSRF token fixation in fastify-passport

The CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers.

Details

fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session.

The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates.

Fix

As a solution, newer versions of @fastify/passport include the configuration options

clearSessionOnLogin (default: true) and
clearSessionIgnoreFields (default: ['session'])

to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields.

Credits

Pedro Adão (@pedromigueladao), Instituto Superior Técnico, University of Lisbon
Marco Squarcina (@lavish), Security & Privacy Research Unit, TU Wien

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29020

GHSA ID

GHSA-2ccf-ffrj-m4qw

EPSS Score

0.21943%

CWE

CWE-352

Published

4/21/2023

Updated

11/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@fastify/passport	npm	< 1.1.0	1.1.0
@fastify/passport	npm	>= 2.0.0, < 2.3.0	2.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from session persistence across authentication boundaries. The SecureSessionManager.logIn function was vulnerable because it handled user authentication without clearing existing session attributes. The commit diff shows this function was modified to add session cleanup logic (regenerating session/clearing fields) when clearSessionOnLogin is enabled. Before this fix, the absence of session cleanup allowed preservation of the _csrf value between pre-login and authenticated sessions, enabling CSRF token fixation. The direct modification of this function in the security patch confirms its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** [*SR*](*ttps://ow*sp.or*/www-*ommunity/*tt**ks/*sr*) prot**tion *n*or*** *y t** `@**sti*y/*sr*-prot**tion` li*r*ry, w**n *om*in** wit* `@**sti*y/p*ssport`, **n ** *yp*ss** *y n*twork *n* s*m*-sit* *tt**k*rs. ## **t*ils `**sti*y/*sr*-prot**tion`

Reasoning

T** vuln*r**ility st*ms *rom s*ssion p*rsist*n** **ross *ut**nti**tion *oun**ri*s. T** `S**ur*S*ssionM*n***r.lo*In` *un*tion w*s vuln*r**l* ****us* it **n*l** us*r *ut**nti**tion wit*out *l**rin* *xistin* s*ssion *ttri*ut*s. T** *ommit *i** s*ows t*i

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-29020: CSRF token fixation in fastify-passport

Details

Fix

Credits

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI