CVE-2024-47764

EUVD-2024-3106
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Debian logo
Debian Releases
Debian Product
Codename
node-cookie
bookworm
no-dsa
bullseye
postponed
forky
0.7.1+~0.6.0-1
fixed
sid
0.7.1+~0.6.0-1
fixed
trixie
0.7.1+~0.6.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-cookie
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
not-affected
questing
not-affected
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c
https://github.com/jshttp/cookie/pull/167
https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x