Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 28 million developers.Sign up
Security Issue in JSON deserialization used by CSRF cookie handling. Removed use of JSON (de)serialization in Csrf.cs, to prevent a possible remote code execution vulnerability. Thanks to Alvaro Muñoz and Alexandr Mirosh from Hewlett-Packard Enterprise Security for pointing out this flaw. Affected versions are all Nancy
1.xreleases and all pre-release candidates of
2.xup to and including
2.0-clinteastwood. The new CRSF cookie will not be backwards compatible with cookies that was generated with earlier versions.
1.xusers are advised to upgrade to
2.xusers are advised to use a build from our MyGet feed until
2.0-dangermousehas been published to NuGet
CSRF.Enable(...), to be affected by this vulnerability.