Description
Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
Recommendation
Update the tough-cookie package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.3
- Patched version(s): 2.3.3
References
- GHSA-g7q5-pjjr-gqvp
- www.npmjs.com
- access.redhat.com
- lists.fedoraproject.org
- snyk.io
- www.securityfocus.com
- CVE-2017-15010
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service in marked (GHSA-x5pg-88wf-qq4p) - CVE-2017-16114
- Regular Expression Denial of Service in slug - CVE-2017-16117
- Regular Expression Denial of Service in moment - CVE-2017-18214
- Regular Expression Denial Of Service in uri-js - CVE-2017-16021
- Tags:
- npm
- tough-cookie
Anything's wrong? Let us know Last updated on November 29, 2023