Description
tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
Remediation
References
https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f
https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba
Related Vulnerabilities
CVE-2021-35516 Vulnerability in maven package org.apache.commons:commons-compress
CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:sinatra-chef-builder
CVE-2017-7680 Vulnerability in maven package org.apache.openmeetings:openmeetings-server
CVE-2022-25898 Vulnerability in maven package org.webjars.npm:jsrsasign
CVE-2023-30528 Vulnerability in maven package org.jenkins-ci.plugins:wso2id-oauth