Skip to content
This repository has been archived by the owner on Jan 24, 2021. It is now read-only.

Releases: NancyFx/Nancy

v1.4.4

20 Jul 08:36
Compare
Choose a tag to compare
  • Security Issue in JSON deserialization used by CSRF cookie handling. Removed use of JSON (de)serialization in Csrf.cs, to prevent a possible remote code execution vulnerability. Thanks to Alvaro Muñoz and Alexandr Mirosh from Hewlett-Packard Enterprise Security for pointing out this flaw. Affected versions are all Nancy 1.x releases and all pre-release candidates of 2.x up to and including 2.0-clinteastwood. The new CRSF cookie will not be backwards compatible with cookies that was generated with earlier versions.

  • All 1.x users are advised to upgrade to 1.4.4

  • All 2.x users are advised to use a build from our MyGet feed until 2.0-dangermouse has been published to NuGet

ℹ️ Be advised that you have had to explicitly enable CSRF support, by calling CSRF.Enable(...), to be affected by this vulnerability.