CVE-2022-25901 Vulnerability in npm package cookiejar

Description

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Remediation

References

https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73

https://github.com/bmeck/node-cookiejar/pull/39

https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5

https://lists.debian.org/debian-lts-announce/2023/09/msg00008.html

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681

https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984

Related Vulnerabilities

CVE-2020-26259 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2021-27191 Vulnerability in npm package get-ip-range

CVE-2022-25758 Vulnerability in npm package scss-tokenizer

CVE-2022-41957 Vulnerability in npm package muhammara

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-jetty8

Severity

High

Classification

CWE-1333 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H