Bug 2161901 (CVE-2022-25901) - CVE-2022-25901 cookiejar: Regular Expression Denial of Service (ReDoS)
Summary: CVE-2022-25901 cookiejar: Regular Expression Denial of Service (ReDoS)
Keywords:
Status: NEW
Alias: CVE-2022-25901
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2164317
Blocks: 2161902
TreeView+ depends on / blocked
 
Reported: 2023-01-18 08:42 UTC by Avinash Hanwate
Modified: 2024-06-08 08:28 UTC (History)
17 users (show)

Fixed In Version: cookiejar 2.1.4
Doc Type: If docs needed, set a value
Doc Text:
A Regular Expression Denial of Service (ReDoS) vulnerability was found in cookiejar via the Cookie.parse function and other aspects of the API, which uses an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.regular expression.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Avinash Hanwate 2023-01-18 08:42:09 UTC
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5
https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984
https://github.com/bmeck/node-cookiejar/pull/39
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681
https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73

Comment 2 TEJ RATHI 2023-01-25 07:36:07 UTC
Created nodejs-cookiejar tracking bugs for this issue:

Affects: epel-7 [bug 2164317]


Note You need to log in before you can comment on or make changes to this bug.