SCA: security update for @fastify/csrf-protection (GHSA-qrgf-9gpc-vrxw)

medium Tenable Cloud Security Plugin ID 418298

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- @fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF
protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be
bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports
an optional userInfo parameter that binds the CSRF token to the user. This parameter has been introduced
to prevent cookie-tossing attacks as a fix for CVE-2021-29624. Whenever userInfo parameter is missing, or
its value can be predicted for the target user account, network and same-site attackers can 1. fixate a
_csrf cookie in the victim's browser, and 2. forge CSRF tokens that are valid for the victim's session.
This allows attackers to bypass the CSRF protection mechanism. As a fix, @fastify/csrf-protection starting
from version 6.3.0 (and v4.1.0) includes a server-defined secret hmacKey that cryptographically binds the
CSRF token to the value of the _csrf cookie and the userInfo parameter, making tokens non-spoofable by
attackers. This protection is effective as long as the userInfo parameter is unique for each user. This is
patched in versions 6.3.0 and v4.1.0. Users are advised to upgrade. Users unable to upgrade may use a
random, non-predictable userInfo parameter for each user as a mitigation. (CVE-2023-27495)

See Also

https://github.com/advisories/GHSA-qrgf-9gpc-vrxw

Plugin Details

Severity: Medium

ID: 418298

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2023-27495

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2023

Vulnerability Publication Date: 4/20/2023

Reference Information

CVE: CVE-2023-27495

cwe: CWE-352