{"id":"CVE-2020-28482","details":"This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter","aliases":["GHSA-49wp-qq6x-g2rf"],"modified":"2026-03-15T14:39:19.868290Z","published":"2021-01-19T15:15:12.153Z","related":["SNYK-JS-FASTIFYCSRF-1062044"],"references":[{"type":"ADVISORY","url":"https://github.com/fastify/fastify-csrf/pull/26"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JS-FASTIFYCSRF-1062044"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fastify/fastify-csrf","events":[{"introduced":"0"},{"fixed":"bac8c852403ab66965d4e66c0d07324873960c26"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.0.0"}]}}],"versions":["v1.0.4","v2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28482.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}