Description
The default cookie name (and documentation recommendation) was prefixed with Host__ instead of __Host-. The point of this prefix is for additional security, to ensure that, when no domain option is provided in the cookie options, we can guarantee the cookie came from the correct domain.
Recommendation
Update the csrf-csrf package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.2.1
- Patched version(s): 2.2.1
References
Related Issues
- Incorrect Default Permissions in log4js - CVE-2022-21704
- @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plug - Vulnerability
- cookie accepts cookie name, path, and domain with out of bounds characters - CVE-2024-47764
- FUXA contains an insecure default configuration vulnerability - CVE-2025-69970
You might also like:
- Tags:
- npm
- csrf-csrf
Anything's wrong? Let us know Last updated on January 09, 2023