On September 11th, 2022, Snyk published a vulnerability report for the popular CSRF token management csurf npm package. The vulnerability impacts all known versions, which are currently yielding more than 400,000 downloads per week. The vulnerability report is based on the public disclosure by security consultant Adrian Tiron and their write-up on the Fortbridge blog.
Just three days later, on September 13th, the csurf npm package was archived and given a deprecated status by its maintainer, effective with the change in this commit.
If you wish to understand the details involving a CSRF token misconfiguration, continue with the next section. If you only wish to quickly remediate the security concern and understand what to do in response to this CSRF attack disclosure, jump to the section on How to address the csurf CSRF token vulnerability.
The csurf npm package is a popular library that developers use to mitigate cross-site request forgery (CSRF) vulnerabilities in their Node.js applications. This CSRF library implements a technique called the double submit cookie pattern to prevent such a vulnerability. However, it was found that the package’s implementation of this mitigation technique was ineffective and required implementation of additional web security controls to function properly — and was therefore enabling possible CSRF attacks. In particular, it doesn’t properly validate cookie values for the double submit cookie pattern, which results in attackers being able to spoof the CSRF token. Adding to the problem, it relies on a deprecated encryption algorithm (SHA1) for hashing CSRF tokens.