Configuration Override in helmet-csp
Moderate severity
GitHub Reviewed
Published
Sep 3, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 3, 2020
Last updated
Jan 9, 2023
Versions of
helmet-csp
before to 2.9.1 are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes thedefault-src
CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.Recommendation
Upgrade to version 2.9.1 or later. Setting the
browserSniff
configuration tofalse
in vulnerable versions also mitigates the issue.References