CVE-2022-41919

Description

### Impact The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s [essence](https://mimesniff.spec.whatwg.org/#mime-type-essence) as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any [CORS protection](https://fetch.spec.whatwg.org/#simple-header), and therefore they could lead to a Cross-Site Request Forgery attack. ### Patches For `4.x` users, please update to at least `4.10.2` For `3.x` users, please update to at least `3.29.4` ### Workarounds Implement Cross-Site Request Forgery protection using [`@fastify/csrf`](https://www.npmjs.com/package/@fastify/csrf). ### References Check out the HackerOne report: https://hackerone.com/reports/1763832. ### For more information [Fastify security policy](https://github.com/fastify/fastify/security/policy)

How to fix CVE-2022-41919

To remediate CVE-2022-41919, upgrade the affected package to a fixed version below.

• —upgrade to 4.10.2 or later

Is CVE-2022-41919 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 4.0.0, < 4.10.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41919
• PATCHgithub.com/fastify/fastify
• WEBgithub.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9
• WEBgithub.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh