Description
The default cookie name (and documentation recommendation) was prefixed with Host__ instead of __Host-. The point of this prefix is for additional security, to ensure that, when no domain option is provided in the cookie options, we can guarantee the cookie came from the correct domain.
Recommendation
Update the csrf-csrf package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.2.1
- Patched version(s): 2.2.1
References
Related Issues
- Incorrect Default Permissions in log4js - CVE-2022-21704
- @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plug - Vulnerability
- Incorrect version tags linked to external repository - Vulnerability
- tough-cookie Prototype Pollution vulnerability - CVE-2023-26136
- Tags:
- npm
- csrf-csrf
Anything's wrong? Let us know Last updated on January 09, 2023