Skip to content

Vendure Cross Site Request Forgery vulnerability impacting all API requests

Low severity GitHub Reviewed Published Jul 11, 2023 in vendure-ecommerce/vendure • Updated Jul 11, 2023

Package

npm @vendure/core (npm)

Affected versions

< 2.0.3

Patched versions

2.0.3

Description

Impact

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of
authorization. By default the Cookie settings are insecure, having the SameSite setting as false
which results in not having one (originates from the cookie-session npm package’s default
settings).

Patches

In progress

Workarounds

Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax' or true.

References

Are there any links users can visit to find out more?

References

@michaelbromley michaelbromley published to vendure-ecommerce/vendure Jul 11, 2023
Published to the GitHub Advisory Database Jul 11, 2023
Reviewed Jul 11, 2023
Last updated Jul 11, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-h9wq-xcqx-mqxm

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.