CVE-2024-27439: Cross-Site Request Forgery in Apache Wicket

March 19, 2024 (updated February 13, 2025)

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

References

github.com/advisories/GHSA-8vvp-525h-cxf9
github.com/apache/wicket
lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo
nvd.nist.gov/vuln/detail/CVE-2024-27439

Code Behaviors & Features

Detect and mitigate CVE-2024-27439 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →