CVE-2022-41919 - Fastify Web Framework Cross-Site Request Forgery Vulnerability Leveraging Incorrect Content-Type

Fastify is a popular minimal-overhead, plugin-based web framework that provides out-of-the-box performance improvements for web applications. A potential security risk was discovered in Fastify, listed under the CVE-2022-41919, involving incorrect Content-Type values sent by attackers when making HTTP requests. This vulnerability could bypass the framework's Pre-Flight check using the fetch() API and expose web applications to Cross-Site Request Forgery (CSRF) attacks.

Impacted Versions

This issue affects Fastify versions prior to 4.10.2 and 3.29.4. The vulnerability has been patched in these versions.

Reference Links

- Fastify GitHub Repository
- CVE-2022-41919 - NVD Entry

Exploit Details

By leveraging the incorrect Content-Type, an attacker can manipulate the fetch() API, often used for making HTTP requests, to bypass the CORS (Cross-Origin Resource Sharing) protection mechanism. For example, Fastify routes that only accept application/json content type could potentially be called with Content-Type values such as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain".

Consider the following code snippet

// Example Fastify route only accepting application/json
fastify.post('/api/protected-route', async (request, reply) => {
  if (request.headers['content-type'] !== 'application/json') {
    reply.status(400).send({ message: 'Invalid Content-Type' })
  }
  
  // Rest of the route logic
});

An attacker with knowledge of the web application could craft an illegitimate request using a different Content-Type:

// Example fetch request sent by attacker
fetch('/api/protected-route', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded', // Incorrect Content-Type
  },
  body: JSON.stringify({ key: 'value' }),
});

The preceding example shows how an attacker could potentially invoke the /api/protected-route route, even though it should only accept requests with a Content-Type of application/json.

Mitigation and Patch

This issue has been resolved in Fastify versions 4.10.2 and 3.29.4. It is highly recommended to update to the appropriate patched version.

Workaround

If you cannot update to the patched versions, you can implement Cross-Site Request Forgery protection using Fastify's @fastify/csrf plugin. The plugin can help prevent CSRF attacks by validating requests with a secret token. To use the plugin, make sure to follow the instructions provided in the plugin's documentation:

- @fastify/csrf Plugin Repository

Timeline

Published on: 11/22/2022 20:15:00 UTC
Last modified on: 11/26/2022 03:35:00 UTC