Description
The default cookie name (and documentation recommendation) was prefixed with Host__ instead of __Host-. The point of this prefix is for additional security, to ensure that, when no domain option is provided in the cookie options, we can guarantee the cookie came from the correct domain.
Recommendation
Update the csrf-csrf package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.2.1
- Patched version(s): 2.2.1
References
Related Issues
- mongosh vulnerable to local privilege escalation - CVE-2025-1756
- Elliptic's EDDSA missing signature length check - CVE-2024-42459
- Nuxt Devtools has a Path Traversal: '../filedir - CVE-2024-23657
- @thi.ng/paths Prototype Pollution vulnerability - CVE-2024-29650
- Tags:
- npm
- csrf-csrf
Anything's wrong? Let us know Last updated on January 09, 2023