Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
Vulnerability Description
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Fastify 跨站请求伪造漏洞
Vulnerability Description
Fastify是OpenJS基金会的一款用于Node.js的开源Web框架。 Fastify 存在跨站请求伪造漏洞,该漏洞源于攻击者可以使用不正确的Content-Type来绕过检查,从而绕过任何CORS保护,可能导致跨站请求伪造攻击。
CVSS Information
N/A
Vulnerability Type
N/A