Description
The default cookie name (and documentation recommendation) was prefixed with Host__ instead of __Host-. The point of this prefix is for additional security, to ensure that, when no domain option is provided in the cookie options, we can guarantee the cookie came from the correct domain.
Recommendation
Update the csrf-csrf package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.2.1
- Patched version(s): 2.2.1
References
Related Issues
- engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt i - Vulnerability
- Incorrect Account Used for Signing - Vulnerability
- Insecure Default Configuration in tesseract.js - Vulnerability
- Incorrect Default Permissions in log4js - CVE-2022-21704
You might also like:
- Tags:
- npm
- csrf-csrf
Anything's wrong? Let us know
Last updated on January 09, 2023