Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sw46-5p81-kqhv
Vulnerability ID VCID-sw46-5p81-kqhv
Aliases CVE-2017-16570
GHSA-q43c-g2g7-6gxj
Summary Cross-Site Request Forgery (CSRF) KeystoneJS allows application-wide CSRF bypass by removing the CSRF parameter and value.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 8.8 http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
generic_textual HIGH http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2017-16570
cvssv3.1 8.8 https://github.com/advisories/GHSA-q43c-g2g7-6gxj
generic_textual HIGH https://github.com/advisories/GHSA-q43c-g2g7-6gxj
cvssv3.1 8.8 https://github.com/keystonejs/keystone/issues/4437
generic_textual HIGH https://github.com/keystonejs/keystone/issues/4437
cvssv3.1 8.8 https://github.com/keystonejs/keystone/pull/4478
generic_textual HIGH https://github.com/keystonejs/keystone/pull/4478
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2017-16570
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2017-16570
cvssv3.1 8.8 https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
generic_textual HIGH https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
cvssv3.1 8.8 https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663
generic_textual HIGH https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663
cvssv3.1 8.8 https://www.exploit-db.com/exploits/43922
generic_textual HIGH https://www.exploit-db.com/exploits/43922
cvssv3.1 8.8 https://www.npmjs.com/advisories/979
generic_textual HIGH https://www.npmjs.com/advisories/979
Reference id Reference type URL
http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
https://api.first.org/data/v1/epss?cve=CVE-2017-16570
https://github.com/advisories/GHSA-q43c-g2g7-6gxj
https://github.com/keystonejs/keystone/issues/4437
https://github.com/keystonejs/keystone/pull/4478
https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663
https://www.exploit-db.com/exploits/43922
https://www.npmjs.com/advisories/979
CVE-2017-16570 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43922.html
CVE-2017-16570 https://nvd.nist.gov/vuln/detail/CVE-2017-16570
Data source Exploit-DB
Date added Jan. 28, 2018
Description KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery
Ransomware campaign use Unknown
Source publication date Jan. 28, 2018
Exploit type webapps
Platform nodejs
Source update date Jan. 28, 2018
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-q43c-g2g7-6gxj
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/keystonejs/keystone/issues/4437
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/keystonejs/keystone/pull/4478
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-16570
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/43922
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.npmjs.com/advisories/979
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.41748
EPSS Score 0.00198
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:37:19.030384+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2017-16570.yml 38.6.0