Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1weGc2LXBmNTIteGg4eM4AA_9q
cookie accepts cookie name, path, and domain with out of bounds characters
Impact
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Patches
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Workarounds
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
References
Permalink: https://github.com/advisories/GHSA-pxg6-pf52-xh8xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1weGc2LXBmNTIteGg4eM4AA_9q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 17 days ago
Updated: 17 days ago
Identifiers: GHSA-pxg6-pf52-xh8x, CVE-2024-47764
References:
- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x
- https://github.com/jshttp/cookie/pull/167
- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c
- https://github.com/advisories/GHSA-pxg6-pf52-xh8x
Blast Radius: 0.0
Affected Packages
npm:cookie
Dependent packages: 4,117Dependent repositories: 2,444,047
Downloads: 234,816,610 last month
Affected Version Ranges: < 0.7.0
Fixed in: 0.7.0
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.0
All unaffected versions: 0.7.0, 0.7.1, 0.7.2, 1.0.0, 1.0.1