Description
Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
Recommendation
Update the tough-cookie package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.3
- Patched version(s): 2.3.3
References
- GHSA-g7q5-pjjr-gqvp
- www.npmjs.com
- access.redhat.com
- lists.fedoraproject.org
- snyk.io
- www.securityfocus.com
- CVE-2017-15010
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
- IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387
- Tags:
- npm
- tough-cookie
Anything's wrong? Let us know Last updated on November 29, 2023