CVE-2022-41919

22.11.2022, 20:15

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Types essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
GitHub_M	CNA	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Vendor	Product	Version
fastify	fastify	3.0.0 ≤ 𝑥 < 3.29.4
fastify	fastify	4.0.0 ≤ 𝑥 < 4.10.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9

https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh

https://www.npmjs.com/package/%40fastify/csrf

https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9

https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh

https://www.npmjs.com/package/%40fastify/csrf