Lightweight, low-ceremony, framework for building HTTP based services on .Net and Mono
Security Issue in JSON deserialization used by CSRF cookie handling. Removed use of JSON (de)serialization in Csrf.cs, to prevent a possible remote code execution vulnerability. Thanks to Alvaro Muñoz and Alexandr Mirosh from Hewlett-Packard Enterprise Security for pointing out this flaw. Affected versions are all Nancy 1.x
releases and all pre-release candidates of 2.x
up to and including 2.0-clinteastwood
. The new CRSF cookie will not be backwards compatible with cookies that was generated with earlier versions.
All 1.x
users are advised to upgrade to 1.4.4
All 2.x
users are advised to use a build from our MyGet feed until 2.0-dangermouse
has been published to NuGet
ℹ️ Be advised that you have had to explicitly enable CSRF support, by calling CSRF.Enable(...)
, to be affected by this vulnerability.