{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "04d05fb613817cb8c723893c241820e1633881a4" } ], "repo": "https://github.com/fastify/csrf-protection", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "3.1.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "04d05fb613817cb8c723893c241820e1633881a4" } ], "repo": "https://github.com/fastify/fastify-csrf", "type": "GIT" } ] } ], "details": "fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a \"double submit\" mechanism using cookies with an application deployed across multiple subdomains, e.g. \"heroku\"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.", "id": "CVE-2021-29624", "modified": "2026-03-15T21:46:42.445801579Z", "published": "2021-05-19T22:15:07.837Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0" }, { "type": "ADVISORY", "url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf" }, { "type": "ADVISORY", "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html" }, { "type": "FIX", "url": "https://github.com/fastify/fastify-csrf/pull/51" }, { "type": "FIX", "url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8" }, { "type": "FIX", "url": "https://github.com/fastify/csrf/pull/2" } ], "related": [ "GHSA-rc4q-9m69-gqp8" ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "type": "CVSS_V3" } ] }