Lack of protection against cookie tossing attacks in fastify-csrf

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

在信任Cookie未进行验证与完整性检查

Fastify 跨站请求伪造漏洞

Fastify是OpenJS（Openjs）基金会的一款用于Node.js的开源Web框架。 Node.js fastify 存在安全漏洞，攻击者可以通过Node.js fastify-csrf的Cookie Double Submit触发跨站请求伪造，以迫使受害者执行操作。

N/A

N/A