CVE-2021-31812: Incorrect Content-Type Handling vulnerability in pdfbox (Maven)

What is CVE-2021-31812 About?

This vulnerability allows attackers to bypass `Pre-Flight` checking for `fetch()` requests by exploiting incorrect `Content-Type` handling in Fastify. This can lead to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to invoke routes intended for `application/json` with simple `Content-Type` headers. Exploitation is relatively easy due to the nature of `Pre-Flight` bypass.

Affected Software

org.apache.pdfbox:pdfbox
- >2.0.0, <2.0.24
org.apache.pdfbox:pdfbox-parent
- >2.0.0, <2.0.24

Technical Details

The vulnerability in Fastify (versions up to 4.10.1 and 3.29.3) stems from an incorrect handling of Content-Type headers that allows attackers to bypass Pre-Flight checks for fetch() requests. According to CORS specifications, fetch() requests using Content-Type header values with an 'essence' of "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain" are considered 'simple requests' and do not trigger a CORS Pre-Flight OPTIONS request. Fastify, however, might use the Content-Type to determine how to parse the request body. An attacker can craft a fetch() request with one of these simple Content-Type headers but include a body formatted as application/json. If the Fastify route is configured to only accept application/json (e.g., through a content-type parser), but the internal routing logic or a bypass mechanism doesn't properly enforce this after the Pre-Flight bypass, the attacker's request can be processed. This allows an attacker to bypass CORS protections, which normally prevent cross-origin requests from being made to sensitive endpoints, and effectively forge requests on behalf of a user, leading to Cross-Site Request Forgery (CSRF).

What is the Impact of CVE-2021-31812?

Successful exploitation may allow attackers to perform Cross-Site Request Forgery (CSRF) attacks, leading to unauthorized actions being executed on behalf of a victim user, data manipulation, or account compromise.

What is the Exploitability of CVE-2021-31812?

Exploitation involves crafting a malicious web page that makes a fetch() request to the vulnerable Fastify server. No direct authentication to the Fastify server is required by the attacker, as the attack leverages an authenticated user's browser session. This is a remote attack. The complexity is moderate, as it requires understanding CORS mechanisms and Fastify's content-type parsing. The key is the ability to send a request with a 'simple' Content-Type header while including a JSON-formatted body that Fastify will incorrectly parse. The primary risk factors are Fastify applications that are susceptible to CSRF (i.e., do not implement CSRF protection) and process requests from untrusted origins.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2021-31812?

Available Upgrade Options

org.apache.pdfbox:pdfbox
- >2.0.0, <2.0.24 → Upgrade to 2.0.24
org.apache.pdfbox:pdfbox-parent
- >2.0.0, <2.0.24 → Upgrade to 2.0.24

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-31812?

Similar Vulnerabilities: CVE-2015-XXXXX , CVE-2016-XXXXX , CVE-2017-XXXXX , CVE-2018-XXXXX , CVE-2019-XXXXX

CVE-2021-31812 Incorrect Content-Type Handling vulnerability in pdfbox (Maven)