CVE-2023-29020: 
JavaScript vulnerability analysis and mitigation

The CVE-2023-29020 vulnerability affects @fastify/passport, a port of the passport authentication library for the Fastify ecosystem. This vulnerability was disclosed on April 21, 2023, and impacts versions <= 1.0.1 and 2.0.0 <= 2.2.0. The issue allows CSRF (Cross-Site Request Forgery) protection to be bypassed when @fastify/passport is used in combination with @fastify/csrf-protection (GitHub Advisory).

The vulnerability stems from how @fastify/csrf-protection implements the synchronizer token pattern using @fastify/session and @fastify/secure-session plugins. The implementation stores a random value for CSRF token generation in the csrf attribute of a user's session. The critical flaw occurs because @fastify/passport does not clear the session object upon authentication, which results in the csrf attribute being preserved between pre-login and authenticated sessions. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (GitHub Advisory).

Network and same-site attackers can exploit this vulnerability by obtaining a CSRF token for their pre-session, fixating that pre-session in the victim's browser via cookie tossing, and then performing a CSRF attack after the victim authenticates. This allows attackers to perform unauthorized actions on behalf of authenticated users (GitHub Advisory).

The vulnerability has been patched in versions >= 1.1.0 < 2.0.0 and >= 2.3.0. The fix introduces two new configuration options: clearSessionOnLogin (default: true) and clearSessionIgnoreFields (default: ['passport', 'session']) to clear all session attributes by default, while preserving those explicitly defined in clearSessionIgnoreFields (GitHub Advisory).