CVE-2024-47764

cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Debian logo
Debian Releases
Debian Product
Codename
node-cookie
bullseye
postponed
bookworm
no-dsa
sid
0.7.1+~0.6.0-1
fixed
trixie
0.7.1+~0.6.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-cookie
plucky
not-affected
oracular
needs-triage
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c
https://github.com/jshttp/cookie/pull/167
https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x