CVE-2023-27495: 
JavaScript vulnerability analysis and mitigation

@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The vulnerability affects versions up to 4.0.1 and versions 5.0.0 to 6.2.0. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. This vulnerability was discovered in April 2023 (NVD, GitHub Advisory).

The vulnerability exists because @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the user, which was introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. When the userInfo parameter is missing or its value can be predicted for the target user account, attackers can fixate a _csrf cookie in the victim's browser and forge CSRF tokens that are valid for the victim's session. The vulnerability has a CVSS v3.1 base score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) (NVD).

If successfully exploited, this vulnerability allows attackers to bypass the CSRF protection mechanism, potentially leading to unauthorized actions being performed on behalf of authenticated users. The impact primarily affects the integrity of user sessions, while confidentiality and availability remain unaffected (GitHub Advisory).

The vulnerability has been patched in versions 6.3.0 and 4.1.0. The fix includes a server-defined secret hmacKey that cryptographically binds the CSRF token to the value of the _csrf cookie and the userInfo parameter, making tokens non-spoofable by attackers. For users unable to upgrade, a workaround is available by using a random, non-predictable userInfo parameter for each user (GitHub Advisory).