NodeJS/tough-cookie/1.0.0
RFC6265 Cookies and Cookie Jar for node.js
https://www.npmjs.com/package/tough-cookie
BSD-3-Clause
4 Security Vulnerabilities
tough-cookie Prototype Pollution vulnerability
Published date: 2023-07-01T06:30:16Z
CVE: CVE-2023-26136
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-26136
- https://github.com/salesforce/tough-cookie/issues/282
- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://github.com/advisories/GHSA-72xf-g2v4-qvf3
- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ
- https://security.netapp.com/advisory/ntap-20240621-0006
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Affected versions: ["4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.1", "3.0.0", "2.5.0", "2.4.3", "2.4.2", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.0", "1.1.0", "1.0.0", "0.13.0", "0.12.1", "0.12.0", "0.11.0", "0.10.0", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.1", "0.9.0"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Update to version 6.0.1.
Regular Expression Denial of Service in tough-cookie
Published date: 2018-07-24T20:14:39Z
CVE: CVE-2017-15010
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15010
- https://github.com/advisories/GHSA-g7q5-pjjr-gqvp
- https://github.com/salesforce/tough-cookie/issues/92
- https://www.npmjs.com/advisories/525
- https://access.redhat.com/errata/RHSA-2017:2912
- https://access.redhat.com/errata/RHSA-2017:2913
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2018:1264
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/
- https://nodesecurity.io/advisories/525
- https://snyk.io/vuln/npm:tough-cookie:20170905
- http://www.securityfocus.com/bid/101185
- https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d
Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.
Recommendation
Update to version 2.3.3 or later.
Affected versions: ["2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.0", "1.1.0", "1.0.0", "0.13.0", "0.12.1", "0.12.0", "0.11.0", "0.10.0", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.1", "0.9.0"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Update to version 6.0.1.
ReDoS via long string of semicolons in tough-cookie
Published date: 2018-10-10T18:57:02Z
CVE: CVE-2016-1000232
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000232
- https://github.com/advisories/GHSA-qhv9-728r-6jqg
- https://www.npmjs.com/advisories/130
- https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae
- https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534
- https://access.redhat.com/errata/RHSA-2016:2101
- https://access.redhat.com/errata/RHSA-2017:2912
- https://access.redhat.com/security/cve/cve-2016-1000232
- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/
Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.
Recommendation
Update to version 2.3.0 or later.
Affected versions: ["2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.0", "1.1.0", "1.0.0", "0.13.0", "0.12.1", "0.12.0", "0.11.0", "0.10.0", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.1", "0.9.0"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Update to version 6.0.1.
ReDoS via long string of semicolons
Published date: 2016-07-22
CVEs: ["CVE-2016-1000232"]
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
Tough-cookie is a cookie parsing and management library.
Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the Set-Cookie
header, causes the event loop to block for excessive amounts of time.
Affected versions: ["0.9.7", "0.9.8", "0.9.9", "0.9.11", "0.9.12", "0.9.13", "0.9.14", "0.9.15", "0.10.0", "0.11.0", "0.12.0", "0.12.1", "0.13.0", "1.0.0", "1.1.0", "1.2.0", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.2.2", "NodeJS/tough-cookie/0.9.8", "NodeJS/tough-cookie/0.9.9", "NodeJS/tough-cookie/0.9.13", "NodeJS/tough-cookie/0.9.14", "NodeJS/tough-cookie/0.9.15", "NodeJS/tough-cookie/0.12.1", "NodeJS/tough-cookie/1.2.0", "NodeJS/tough-cookie/2.2.0", "NodeJS/tough-cookie/2.2.1", "NodeJS/tough-cookie/0.9.7", "NodeJS/tough-cookie/0.9.11", "NodeJS/tough-cookie/0.9.12", "NodeJS/tough-cookie/0.10.0", "NodeJS/tough-cookie/0.11.0", "NodeJS/tough-cookie/0.12.0", "NodeJS/tough-cookie/0.13.0", "NodeJS/tough-cookie/1.0.0", "NodeJS/tough-cookie/1.1.0", "NodeJS/tough-cookie/2.0.0", "NodeJS/tough-cookie/2.1.0", "NodeJS/tough-cookie/2.2.2"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Upgrade to at least version 2.3.0
58 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 6.0.1 | BSD-3-Clause | 2026-03-12 - 18:39 | about 2 months | |
| 6.0.0 | BSD-3-Clause | 2025-08-14 - 19:56 | 9 months | |
| 6.0.0-rc.2 | BSD-3-Clause | 2025-08-04 - 16:53 | 9 months | |
| 6.0.0-rc.1 | BSD-3-Clause | 2025-07-24 - 14:54 | 9 months | |
| 6.0.0-rc.0 | BSD-3-Clause | 2025-05-02 - 13:50 | 12 months | |
| 5.1.2 | BSD-3-Clause | 2025-02-28 - 18:27 | about 1 year | |
| 5.1.1 | BSD-3-Clause | 2025-02-07 - 17:32 | about 1 year | |
| 5.1.0 | BSD-3-Clause | 2025-01-09 - 15:36 | over 1 year | |
| 5.1.0-rc.0 | BSD-3-Clause | 2025-01-08 - 18:57 | over 1 year | |
| 5.0.0 | BSD-3-Clause | 2024-09-09 - 16:40 | over 1 year | |
| 5.0.0-rc.4 | BSD-3-Clause | 2024-07-19 - 17:42 | almost 2 years | |
| 5.0.0-rc.3 | BSD-3-Clause | 2024-07-10 - 13:23 | almost 2 years | |
| 5.0.0-rc.2 | BSD-3-Clause | 2024-05-16 - 20:03 | almost 2 years | |
| 5.0.0-rc.1 | BSD-3-Clause | 2024-02-29 - 18:21 | about 2 years | |
| 5.0.0-rc.0 | BSD-3-Clause | 2023-09-27 - 16:06 | over 2 years | |
| 4.1.4 | BSD-3-Clause | 2024-04-29 - 14:11 | about 2 years | |
| 4.1.3 | BSD-3-Clause | 2023-06-05 - 17:32 | almost 3 years | |
| 4.1.2 | BSD-3-Clause | 1 | 2022-08-25 - 18:51 | over 3 years |
| 4.1.1 | BSD-3-Clause | 1 | 2022-08-24 - 19:38 | over 3 years |
| 4.1.0 | BSD-3-Clause | 1 | 2022-08-22 - 17:35 | over 3 years |
| 4.0.0 | BSD-3-Clause | 1 | 2020-03-19 - 19:20 | about 6 years |
| 3.0.1 | BSD-3-Clause | 1 | 2019-02-05 - 03:09 | about 7 years |
| 3.0.0 | BSD-3-Clause | 1 | 2019-01-08 - 19:52 | over 7 years |
| 2.5.0 | BSD-3-Clause | 1 | 2018-11-26 - 22:58 | over 7 years |
| 2.4.3 | BSD-3-Clause | 1 | 2018-06-25 - 20:56 | almost 8 years |
| 2.4.2 | BSD-3-Clause | 1 | 2018-06-04 - 23:05 | almost 8 years |
| 2.3.4 | BSD-3-Clause | 1 | 2018-02-26 - 22:29 | about 8 years |
| 2.3.3 | BSD-3-Clause | 1 | 2017-09-21 - 21:05 | over 8 years |
| 2.3.2 | BSD-3-Clause | 2 | 2016-10-25 - 17:07 | over 9 years |
| 2.3.1 | BSD-3-Clause | 2 | 2016-07-26 - 01:01 | almost 10 years |
| 2.3.0 | BSD-3-Clause | 2 | 2016-07-21 - 18:44 | almost 10 years |
| 2.2.2 | BSD-3-Clause | 4 | 2016-03-09 - 23:03 | about 10 years |
| 2.2.1 | BSD-3-Clause | 4 | 2015-11-13 - 01:52 | over 10 years |
| 2.2.0 | BSD-3-Clause | 4 | 2015-10-06 - 23:18 | over 10 years |
| 2.1.0 | BSD-3-Clause | 4 | 2015-10-02 - 17:49 | over 10 years |
| 2.0.0 | BSD-3-Clause | 4 | 2015-06-10 - 22:13 | almost 11 years |
| 1.2.0 | BSD-3-Clause | 4 | 2015-05-25 - 16:49 | almost 11 years |
| 1.1.0 | BSD-3-Clause | 4 | 2015-04-28 - 18:14 | about 11 years |
| 1.0.0 | BSD-3-Clause | 4 | 2015-04-28 - 01:38 | about 11 years |
| 0.13.0 | BSD-3-Clause | 4 | 2015-04-22 - 01:25 | about 11 years |
| 0.12.1 | MIT | 4 | 2014-01-16 - 18:26 | over 12 years |
| 0.12.0 | MIT | 4 | 2014-01-13 - 21:32 | over 12 years |
| 0.11.0 | MIT | 4 | 2014-01-13 - 18:21 | over 12 years |
| 0.10.0 | MIT | 4 | 2014-01-10 - 21:47 | over 12 years |
| 0.9.15 | BSD-3-Clause | 4 | 2013-01-25 - 17:35 | over 13 years |
| 0.9.14 | BSD-3-Clause | 4 | 2012-09-28 - 17:45 | over 13 years |
| 0.9.13 | BSD-3-Clause | 4 | 2012-05-08 - 16:21 | almost 14 years |
| 0.9.12 | BSD-3-Clause | 4 | 2012-04-25 - 16:48 | about 14 years |
| 0.9.11 | BSD-3-Clause | 4 | 2012-04-23 - 17:02 | about 14 years |
| 0.9.9 | BSD-3-Clause | 4 | 2012-04-17 - 02:38 | about 14 years |