logo

Database

Insecurely generated cookies In @grackle-ai/server

Description

@grackle-ai/server has a Missing Secure Flag on Session Cookie

Impact

The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections.

Since the server binds to 127.0.0.1 by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when --allow-network is used to bind to 0.0.0.0, cookies could be transmitted over insecure network connections and intercepted by an attacker.

Affected code:

    packages/server/src/session.ts:76 — cookie string lacks ; Secure attribute

Patches

0.70.5

Fix: Conditionally add ; Secure when served over HTTPS or when --allow-network is enabled:

const securePart = isHttps ? "; Secure" : "";
return `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;

Workarounds

Do not use --allow-network over untrusted networks without a TLS-terminating reverse proxy.

Resources

    OWASP: Secure Cookie Attribute

    File: packages/server/src/session.ts

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-5j35-xr4g-vwf42. GCVE-GHSA-5j35-xr4g-vwf4

References

1. https://github.com/nick-pape/grackle/security/advisories/GHSA-5j35-xr4g-vwf4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.