CVE-2021-29624: 
JavaScript vulnerability analysis and mitigation

CVE-2021-29624 is a vulnerability in the fastify-csrf npm package affecting versions prior to 3.1.0. The vulnerability is related to insufficient protection against cookie tossing attacks in applications deployed across multiple subdomains, particularly in 'heroku'-style platform as a service environments. The vulnerability was discovered by Xhelal Likaj and was disclosed in May 2021 (GitHub Advisory).

The vulnerability exists in the double submit mechanism using cookies when an application is deployed across multiple subdomains. The CVSS v3.1 base score is 6.5 (Moderate), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. This indicates a network attack vector with low complexity, requiring no privileges but user interaction, with unchanged scope, no impact on confidentiality, high impact on integrity, and no impact on availability (GitHub Advisory).

The vulnerability primarily affects users who implemented fastify-csrf with the 'double submit' mechanism using cookies in applications deployed across multiple subdomains. When exploited, it could allow attackers to bypass CSRF protections, potentially leading to unauthorized actions being performed on behalf of authenticated users (GitHub Advisory).

The vulnerability was patched in version 3.1.0 of fastify-csrf. Users should upgrade to this version or later. The fix requires users to supply a userInfo parameter when generating the CSRF token to fully implement the protection, particularly for applications hosted on different subdomains. No alternative workarounds are available (GitHub Advisory).