csrf-lite@0.1.1 vulnerabilities

csrf protection for framework-less node sites

Direct Vulnerabilities

Known vulnerabilities in the csrf-lite package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Non-Constant Time String Comparison

csrf-lite is a CSRF protection utility for framework-free node sites. Affected versions of the package are vulnerable to a timing attack.

While the CSRF protection itself works well and increases security, the library uses the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the token are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the CSRF token one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

How to fix Non-Constant Time String Comparison?

Update to version 0.1.2 or higher.

<=0.1.1
  • M
Non-Constant Time String Comparison

csrf-lite is a CSRF protection utility for framework-free node sites. Affected versions of the package are vulnerable to a timing attack.

While the CSRF protection itself works well and increases security, the library uses the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the token are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the CSRF token one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

How to fix Non-Constant Time String Comparison?

Update to version 0.1.2 or higher.

<=0.1.1