Description
The default cookie name (and documentation recommendation) was prefixed with Host__ instead of __Host-. The point of this prefix is for additional security, to ensure that, when no domain option is provided in the cookie options, we can guarantee the cookie came from the correct domain.
Recommendation
Update the csrf-csrf package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.2.1
- Patched version(s): 2.2.1
References
Related Issues
- Elliptic's EDDSA missing signature length check - CVE-2024-42459
- @langchain/community SQL Injection vulnerability - CVE-2024-7042
- Nuxt Devtools has a Path Traversal: '../filedir - CVE-2024-23657
- @thi.ng/paths Prototype Pollution vulnerability - CVE-2024-29650
- Tags:
- npm
- csrf-csrf
Anything's wrong? Let us know Last updated on January 09, 2023