CVE-2022-39287

HIGH

tiny-csrf < 1.1.0 - Cleartext Transmission of Sensitive Information

Title source: llm

Description

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

References (2)

Core 2

Core References

Patch, Third Party Advisory

https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba

View Patch ZIP pw:eip

Third Party Advisory

https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f

Scores

CVSS v3 8.1

EPSS 0.0016

EPSS Percentile 36.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-319

Status published

Products (2)

npm/tiny-csrf 0 - 1.1.0npm

tiny-csrf_project/tiny-csrf < 1.1.0

Published Oct 07, 2022

Tracked Since Feb 18, 2026