CVE-2022-39287 HIGH

CVE-2022-39287: Plaintext transmission of CSRF tokens in tiny-csrf

Vendor Valexandersaulys
Product tiny-csrf
Weakness CWE-319 · Cleartext transmission
Published October 7, 2022
Last update April 23, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

October 7, 2022 CVE published
April 23, 2025 Record updated