The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.
Patches
For 4.x users, please update to at least 4.10.2.
For 3.x users, please update to at least 3.29.4.
Workarounds
Implement Cross-Site Request Forgery protection using @fastify/csrf.
fastify/fastify
### [`v4.10.2`](https://togithub.com/fastify/fastify/releases/tag/v4.10.2)
[Compare Source](https://togithub.com/fastify/fastify/compare/v4.10.1...v4.10.2)
#### ⚠️ Security Release ⚠️
- Fix for ["Incorrect Content-Type parsing can lead to CSRF attack"](https://togithub.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh)
and CVE-2022-41919
**Full Changelog**: https://github.com/fastify/fastify/compare/v4.10.1...v4.10.2
### [`v4.10.1`](https://togithub.com/fastify/fastify/releases/tag/v4.10.1)
[Compare Source](https://togithub.com/fastify/fastify/compare/v4.10.0...v4.10.1)
#### What's Changed
- fix node 19.1.0 port validation test by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/fastify/fastify/pull/4427](https://togithub.com/fastify/fastify/pull/4427)
- Add fastify-constraints to community plugins by [@Ceres6](https://togithub.com/Ceres6) in [https://github.com/fastify/fastify/pull/4428](https://togithub.com/fastify/fastify/pull/4428)
- build(deps-dev): bump [@sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 9.1.2 to 10.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify/pull/4421](https://togithub.com/fastify/fastify/pull/4421)
- add silent option to LogLevel by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/fastify/fastify/pull/4432](https://togithub.com/fastify/fastify/pull/4432)
#### New Contributors
- [@Ceres6](https://togithub.com/Ceres6) made their first contribution in [https://github.com/fastify/fastify/pull/4428](https://togithub.com/fastify/fastify/pull/4428)
**Full Changelog**: https://github.com/fastify/fastify/compare/v4.10.0...v4.10.1
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
4.10.0->4.10.2GitHub Vulnerability Alerts
CVE-2022-41919
Impact
The attacker can use the incorrect
Content-Typeto bypass thePre-Flightchecking offetch.fetch()requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only acceptsapplication/jsoncontent type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.Patches
For
4.xusers, please update to at least4.10.2. For3.xusers, please update to at least3.29.4.Workarounds
Implement Cross-Site Request Forgery protection using
@fastify/csrf.References
Check out the HackerOne report: https://hackerone.com/reports/1763832.
For more information
Fastify security policy
Release Notes
fastify/fastify
### [`v4.10.2`](https://togithub.com/fastify/fastify/releases/tag/v4.10.2) [Compare Source](https://togithub.com/fastify/fastify/compare/v4.10.1...v4.10.2) #### ⚠️ Security Release ⚠️ - Fix for ["Incorrect Content-Type parsing can lead to CSRF attack"](https://togithub.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh) and CVE-2022-41919 **Full Changelog**: https://github.com/fastify/fastify/compare/v4.10.1...v4.10.2 ### [`v4.10.1`](https://togithub.com/fastify/fastify/releases/tag/v4.10.1) [Compare Source](https://togithub.com/fastify/fastify/compare/v4.10.0...v4.10.1) #### What's Changed - fix node 19.1.0 port validation test by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/fastify/fastify/pull/4427](https://togithub.com/fastify/fastify/pull/4427) - Add fastify-constraints to community plugins by [@Ceres6](https://togithub.com/Ceres6) in [https://github.com/fastify/fastify/pull/4428](https://togithub.com/fastify/fastify/pull/4428) - build(deps-dev): bump [@sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 9.1.2 to 10.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify/pull/4421](https://togithub.com/fastify/fastify/pull/4421) - add silent option to LogLevel by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/fastify/fastify/pull/4432](https://togithub.com/fastify/fastify/pull/4432) #### New Contributors - [@Ceres6](https://togithub.com/Ceres6) made their first contribution in [https://github.com/fastify/fastify/pull/4428](https://togithub.com/fastify/fastify/pull/4428) **Full Changelog**: https://github.com/fastify/fastify/compare/v4.10.0...v4.10.1Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.