CVE-2023-29019
📋 TL;DR
CVE-2023-29019 is a session fixation vulnerability in @fastify/passport that allows attackers to hijack user sessions. Applications using @fastify/passport with @fastify/session for authentication are affected. Attackers can set a session cookie in a victim's browser before login, then gain access to the authenticated session after the victim logs in.
💻 Affected Systems
- @fastify/passport
📦 What is this software?
Passport by Fastify
Passport by Fastify
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, allowing attackers to access sensitive data, perform unauthorized actions, and potentially escalate privileges within the application.
Likely Case
Attackers hijack user sessions to impersonate legitimate users, accessing their personal data and performing actions on their behalf.
If Mitigated
With proper session regeneration after authentication, the attack is prevented entirely.
🎯 Exploit Status
Exploitation requires the attacker to set a cookie in the victim's browser (via network attack or same-site attack) and wait for the victim to authenticate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions including commit 43c82c321db58ea3e375dd475de60befbfcf2a11
Vendor Advisory: https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9
Restart Required: Yes
Instructions:
1. Update @fastify/passport to the latest version. 2. Verify the version includes commit 43c82c321db58ea3e375dd475de60befbfcf2a11. 3. Restart the Fastify application.
🔧 Temporary Workarounds
No workarounds available
allThe advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement additional authentication monitoring and alerting for suspicious session activity
- Consider implementing rate limiting or additional authentication factors for sensitive operations
🔍 How to Verify
Check if Vulnerable:
Check if your @fastify/passport version predates commit 43c82c321db58ea3e375dd475de60befbfcf2a11 and you're using @fastify/session for session management.Check Version:
npm list @fastify/passportVerify Fix Applied:
Verify your @fastify/passport version includes commit 43c82c321db58ea3e375dd475de60befbfcf2a11 and test that session IDs regenerate after authentication.📡 Detection & Monitoring
Log Indicators:
- Multiple authentication attempts from same session ID
- Session IDs that don't change after successful authentication
Network Indicators:
- Unexpected Set-Cookie headers before authentication
- Session cookies being sent from unexpected sources
SIEM Query:
source="application_logs" AND ("session fixation" OR "session hijack" OR "multiple auth same session")🔗 References
- https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11
- https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9
- https://owasp.org/www-community/attacks/Session_fixation
- https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11
- https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9
- https://owasp.org/www-community/attacks/Session_fixation
