CVE-2022-41919 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Fastify web framework versions 3.0.0 up to but not including 3.29.4, and 4.0.0 up to but not including 4.10.2. Fastify is a Node.js web framework designed for high performance and extensibility via plugins. The vulnerability arises due to improper handling of the Content-Type header in HTTP requests, specifically in the context of CORS (Cross-Origin Resource Sharing) pre-flight checks. Normally, browsers enforce CORS policies to prevent unauthorized cross-origin requests, and pre-flight OPTIONS requests are used to verify permissions for certain content types such as application/json. However, in Fastify, an attacker can craft fetch() requests with Content-Type headers set to "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain". These content types are considered simple and do not trigger pre-flight checks, allowing the attacker to bypass CORS protections that restrict routes to only accept application/json content types. This bypass enables an attacker to perform CSRF attacks by tricking authenticated users into submitting unintended requests to the vulnerable Fastify server, potentially causing unauthorized actions on behalf of the user. The vulnerability does not require user interaction beyond visiting a malicious site and does not require authentication to exploit, assuming the victim is already authenticated to the target application. The issue has been addressed in Fastify versions 3.29.4 and 4.10.2 by correcting the handling of Content-Type and CORS pre-flight checks. As a mitigation, developers are advised to implement explicit CSRF protection using the @fastify/csrf plugin, which provides token-based validation to prevent unauthorized cross-site requests. There are no known exploits in the wild reported to date, but the vulnerability poses a risk to applications relying on Fastify versions within the affected range without additional CSRF protections.

For European organizations, this vulnerability could lead to unauthorized actions performed on web applications built with vulnerable Fastify versions. Potential impacts include unauthorized data modification, transaction manipulation, or privilege escalation within the context of the affected web application. Since Fastify is used in various sectors including e-commerce, finance, healthcare, and government services, exploitation could compromise sensitive personal data protected under GDPR, leading to regulatory penalties and reputational damage. The bypass of CORS protections increases the attack surface by allowing cross-origin requests that were previously blocked, making it easier for attackers to exploit CSRF without complex social engineering. The vulnerability could also facilitate lateral movement or persistence in multi-tenant environments if exploited in internal applications. Although no active exploits are known, the ease of exploitation via crafted web requests and the widespread use of Fastify in modern web applications make this a significant risk. Organizations with public-facing APIs or web portals using affected Fastify versions are particularly at risk, especially if they have not implemented additional CSRF defenses.

1. Upgrade Fastify to version 3.29.4 or 4.10.2 or later immediately to apply the official patch addressing this vulnerability. 2. Implement the @fastify/csrf plugin to enforce token-based CSRF protection, ensuring that all state-changing requests include a valid CSRF token. 3. Review and tighten CORS policies to explicitly specify allowed origins, methods, and headers, minimizing the risk of unauthorized cross-origin requests. 4. Conduct a thorough audit of all routes accepting JSON content types to verify that they enforce proper authentication and authorization checks. 5. Employ Content Security Policy (CSP) headers to restrict the sources of executable scripts and reduce the risk of malicious script injection that could facilitate CSRF attacks. 6. Monitor web application logs for unusual or unexpected cross-origin requests, particularly those with Content-Type headers set to simple types that could bypass pre-flight checks. 7. Educate developers on secure handling of CORS and CSRF protections, emphasizing the limitations of relying solely on content-type restrictions for security. 8. For internal applications, consider network segmentation and additional access controls to reduce exposure to cross-site attacks. These steps go beyond generic advice by focusing on specific Fastify versions, plugin usage, and detailed CORS policy management.