Description
Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.
Recommendation
Update the tough-cookie package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.0
- Patched version(s): 2.3.0
References
- GHSA-qhv9-728r-6jqg
- www.npmjs.com
- access.redhat.com
- www.ibm.com
- CVE-2016-1000232
- CWE-1333
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service in tough-cookie - CVE-2017-15010
- tough-cookie Prototype Pollution vulnerability - CVE-2023-26136
- ReDoS via long UserAgent header in useragent - CVE-2017-16030
- steal Inefficient Regular Expression Complexity vulnerability via string variable - CVE-2022-37259
- Tags:
- npm
- tough-cookie
Anything's wrong? Let us know Last updated on April 11, 2023