Security Issue in JSON deserialization used by CSRF cookie handling. Removed use of JSON (de)serialization in Csrf.cs, to prevent a possible remote code execution vulnerability. Thanks to Alvaro Muñoz and Alexandr Mirosh from Hewlett-Packard Enterprise Security for pointing out this flaw. Affected versions are all Nancy
1.xreleases and all pre-release candidates of
2.xup to and including
2.0-clinteastwood. The new CRSF cookie will not be backwards compatible with cookies that was generated with earlier versions.
1.xusers are advised to upgrade to
2.xusers are advised to use a build from our MyGet feed until
2.0-dangermousehas been published to NuGet
CSRF.Enable(...), to be affected by this vulnerability.