2161901 – (CVE-2022-25901) CVE-2022-25901 cookiejar: Regular Expression Denial of Service (ReDoS)

Bug 2161901 (CVE-2022-25901) - CVE-2022-25901 cookiejar: Regular Expression Denial of Service (ReDoS)

Summary: CVE-2022-25901 cookiejar: Regular Expression Denial of Service (ReDoS)

Keywords:
Status:	NEW
Alias:	CVE-2022-25901
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2164317
Blocks:	2161902
TreeView+	depends on / blocked

Reported:	2023-01-18 08:42 UTC by Avinash Hanwate
Modified:	2025-03-14 08:28 UTC (History)
CC List:	15 users (show)
Fixed In Version:	cookiejar 2.1.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-01-18 08:42:09 UTC

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5
https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984
https://github.com/bmeck/node-cookiejar/pull/39
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681
https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73

Comment 2 TEJ RATHI 2023-01-25 07:36:07 UTC

Created nodejs-cookiejar tracking bugs for this issue:

Affects: epel-7 [bug 2164317]

Note You need to log in before you can comment on or make changes to this bug.