Skip to content

CVE-2023-45857 (CWE-359) XSRF-TOKEN value is disclosed to an unauthorised actor #6006

Closed
@valentin-panov

Description

@valentin-panov

Describe the bug

Hi team, @jasonsaayman and @DigitalBrainJS,

The library inserts the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

It's crucial to ensure the protection of CSRF tokens. These tokens should be treated as confidential information and managed securely at all times.
You may check it here:
https://portswigger.net/web-security/csrf/preventing
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Type of vulnerability: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Severity: High (7.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

To Reproduce

  1. Start a new project using the latest version of Next.js by running the following command: npx create-next-app@latest. Then, install the latest version of the Axios library with this command: npm i axios
  2. Create an Axios instance with the following configuration, which enables cross-site request forgery (CSRF) protection by including credentials in requests:
  const instance = axios.create({
    withCredentials: true,
  });
  1. Install the XSRF-TOKEN cookie with specific attributes. Set the cookie value "whatever" and configuring it for the "localhost" domain with strict same-site policy:
    const cookies = new Cookies();
    cookies.set("XSRF-TOKEN", "whatever", {
      domain: "localhost",
      sameSite: "strict",
    });
  1. Initiate a cross-domain request using your Axios instance. In this example, we're making a GET request to "https://www.com/," and we handle the response and potential errors:
    instance
      .get("https://www.com")
      .then((res) => console.log(res.data))
      .catch((err) => console.error(err.message));
  1. Run your project, and open the browser's network tab for debugging and monitoring network activity.
  2. Verify that the cross-domain request to "https://www.com/" includes the "X-XSRF-TOKEN" header with the value "whatever."
  3. Confirm that the "XSRF-TOKEN" cookie's value is disclosed to any 3rd-party host when making requests using the Axios instance. This is essential for security as you don't want to leak CSRF tokens to unauthorized entities.

Code snippet

lib/adapters/xhr.js:191
const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))

Expected behavior

ER: the XSRF-TOKEN is not disclosed to a 3rd party host
AR: the XSRF-TOKEN is disclosed in every request made with the Axios instance

Axios Version

[v0.8.1] - [v1.5.1]

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

No response

OS

No response

Additional Library Versions

No response

Additional context/Screenshots

The current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.

https://nvd.nist.gov/vuln/detail/CVE-2023-45857

https://prnt.sc/xDcRmFozxSHJ

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions