node-sdk icon indicating copy to clipboard operation
node-sdk copied to clipboard

Published 20 hours ago verified publisher icon larksuite

Fix Cross-Site Request Forgery value is disclosed to an unauthorised actor

Open JOJOBET-DALTONLAR opened this issue 1 year ago • 0 comments

An issue found in project larksuite/node-sdk used axios .8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

  const instance = axios.create({
    withCredentials: true,
  });

    const cookies = new Cookies();
    cookies.set("XSRF-TOKEN", "whatever", {
      domain: "localhost",
      sameSite: "strict",
    });

    instance
      .get("https://www.com")
      .then((res) => console.log(res.data))
      .catch((err) => console.error(err.message));

lib/adapters/xhr.js:191
const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))

CVE-2023-45857 CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

JOJOBET-DALTONLAR avatar Feb 09 '24 22:02 JOJOBET-DALTONLAR