NodeJS/tough-cookie/2.3.3
RFC6265 Cookies and Cookie Jar for node.js
https://www.npmjs.com/package/tough-cookie
BSD-3-Clause
1 Security Vulnerabilities
tough-cookie Prototype Pollution vulnerability
Published date: 2023-07-01T06:30:16Z
CVE: CVE-2023-26136
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-26136
- https://github.com/salesforce/tough-cookie/issues/282
- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://github.com/advisories/GHSA-72xf-g2v4-qvf3
- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ
- https://security.netapp.com/advisory/ntap-20240621-0006
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Affected versions: ["4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.1", "3.0.0", "2.5.0", "2.4.3", "2.4.2", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.0", "1.1.0", "1.0.0", "0.13.0", "0.12.1", "0.12.0", "0.11.0", "0.10.0", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.1", "0.9.0"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Update to version 6.0.1.
58 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.9.8 | BSD-3-Clause | 4 | 2011-12-15 - 16:03 | over 14 years |
| 0.9.7 | BSD-3-Clause | 4 | 2011-12-01 - 23:14 | over 14 years |
| 0.9.6 | BSD-3-Clause | 3 | 2011-11-23 - 19:26 | over 14 years |
| 0.9.5 | BSD-3-Clause | 3 | 2011-11-23 - 16:09 | over 14 years |
| 0.9.4 | BSD-3-Clause | 3 | 2011-11-23 - 15:55 | over 14 years |
| 0.9.3 | BSD-3-Clause | 3 | 2011-11-07 - 22:32 | over 14 years |
| 0.9.1 | BSD-3-Clause | 3 | 2011-10-31 - 20:14 | over 14 years |
| 0.9.0 | BSD-3-Clause | 3 | 2011-10-21 - 19:06 | over 14 years |