Description
Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.
Recommendation
Update the tough-cookie package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.0
- Patched version(s): 2.3.0
References
- GHSA-qhv9-728r-6jqg
- www.npmjs.com
- access.redhat.com
- www.ibm.com
- CVE-2016-1000232
- CWE-1333
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 4 - CVE-2019-10744
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 2 - CVE-2019-10744
- Passbolt Browser Extension leaks password information - CVE-2024-33669
- tough-cookie Prototype Pollution vulnerability - CVE-2023-26136
- Tags:
- npm
- tough-cookie
Anything's wrong? Let us know Last updated on April 11, 2023