๐ Node.js third-party modules: Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
I would like to report possible cache poisoning in Fastify It allows an attacker to perform an cache poisoning when Fastify is used in combination with a http cache / CDN. Module module name: Fastify version: 3.x npm page: https://www.npmjs.com/package/fastify Module Description Fast and low overhead web framework, for Node.js Module Stats 159,983 weekly downloads Vulnerability Vulnerability Description I might be missing the obvious or I've not read the documentation closely enough, but to me it seem like its not possible to turn off versioned routes in Fastify. The reason why I am reporting this issue as a security issue are because my reason to want to turn off versioned routes in Fastify is rooted in a security issue when using Fastify in relation with a http cache / CDN and I do not want to expose this in the common issue tracker because it can be used against running services. My current issue is that we have a Fastify server not using versioned routes where the server live behind a http cache / CDN. By default Fastify will return a 404 if a Accept-Version http header is passed on to an exiting route not under versioning. When there is a http cache / CDN infront of Fastify this will make it possible for an attacker to perform an cache poisoning attack (https://owasp.org/www-community/attacks/Cache_Poisoning). Steps To Reproduce: Given the following Fastify server: ```js const app = require('fastify')(); app.get('/', async () => { return { hello: 'world' }; });... ...