NodeJS/tough-cookie/0.9.5
RFC6265 Cookies and Cookie Jar for node.js
https://www.npmjs.com/package/tough-cookie
BSD-3-Clause
3 Security Vulnerabilities
tough-cookie Prototype Pollution vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-26136
- https://github.com/salesforce/tough-cookie/issues/282
- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://github.com/advisories/GHSA-72xf-g2v4-qvf3
- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ
- https://security.netapp.com/advisory/ntap-20240621-0006
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Regular Expression Denial of Service in tough-cookie
- https://nvd.nist.gov/vuln/detail/CVE-2017-15010
- https://github.com/advisories/GHSA-g7q5-pjjr-gqvp
- https://github.com/salesforce/tough-cookie/issues/92
- https://www.npmjs.com/advisories/525
- https://access.redhat.com/errata/RHSA-2017:2912
- https://access.redhat.com/errata/RHSA-2017:2913
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2018:1264
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/
- https://nodesecurity.io/advisories/525
- https://snyk.io/vuln/npm:tough-cookie:20170905
- http://www.securityfocus.com/bid/101185
- https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d
Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.
Recommendation
Update to version 2.3.3 or later.
ReDoS via long string of semicolons in tough-cookie
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000232
- https://github.com/advisories/GHSA-qhv9-728r-6jqg
- https://www.npmjs.com/advisories/130
- https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae
- https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534
- https://access.redhat.com/errata/RHSA-2016:2101
- https://access.redhat.com/errata/RHSA-2017:2912
- https://access.redhat.com/security/cve/cve-2016-1000232
- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/
Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.
Recommendation
Update to version 2.3.0 or later.
58 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.9.8 | BSD-3-Clause | 4 | 2011-12-15 - 16:03 | over 14 years |
| 0.9.7 | BSD-3-Clause | 4 | 2011-12-01 - 23:14 | over 14 years |
| 0.9.6 | BSD-3-Clause | 3 | 2011-11-23 - 19:26 | over 14 years |
| 0.9.5 | BSD-3-Clause | 3 | 2011-11-23 - 16:09 | over 14 years |
| 0.9.4 | BSD-3-Clause | 3 | 2011-11-23 - 15:55 | over 14 years |
| 0.9.3 | BSD-3-Clause | 3 | 2011-11-07 - 22:32 | over 14 years |
| 0.9.1 | BSD-3-Clause | 3 | 2011-10-31 - 20:14 | over 14 years |
| 0.9.0 | BSD-3-Clause | 3 | 2011-10-21 - 19:06 | over 14 years |