CVE-2022-39287: Cleartext Transmission of Sensitive Information

October 7, 2022 (updated October 11, 2022)

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit 8eead6d and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

References

github.com/advisories/GHSA-pj2c-h76w-vv6f
github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba
github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f

Code Behaviors & Features

Detect and mitigate CVE-2022-39287 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →