Skip to content

Fastify: Incorrect Content-Type parsing can lead to CSRF attack

Moderate severity GitHub Reviewed Published Nov 21, 2022 in fastify/fastify • Updated Jan 31, 2023

Package

npm fastify (npm)

Affected versions

>= 4.0.0, < 4.10.2
>= 3.0.0, < 3.29.4

Patched versions

4.10.2
3.29.4

Description

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

References

@mcollina mcollina published to fastify/fastify Nov 21, 2022
Published to the GitHub Advisory Database Nov 21, 2022
Reviewed Nov 21, 2022
Published by the National Vulnerability Database Nov 22, 2022
Last updated Jan 31, 2023

Severity

Moderate
4.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2022-41919

GHSA ID

GHSA-3fjj-p79j-c9hh

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.