@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
- Severity:
- High
Description
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks.
Recommendation
Update the @fastify/oauth2 package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.2.0
- Patched version(s): 7.2.0
References
Related Issues
- SvelteKit vulnerable to Cross-Site Request Forgery - CVE-2023-29003
- NASA Open MCT Cross Site Request Forgery (CSRF) vulnerability - CVE-2023-45884
- Axios Cross-Site Request Forgery Vulnerability - CVE-2023-45857
- layui vulnerable to cross-site scripting - CVE-2023-3691
- Tags:
- npm
- @fastify/oauth2
Anything's wrong? Let us know Last updated on November 10, 2023