logo

Database

Asymmetric denial of service - ReDoS In tough-cookie

Description

ReDoS via long string of semicolons in tough-cookie Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.

Recommendation

Update to version 2.3.0 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2016-10002322. NVD-2016-10002323. OSV-2016-10002324. GHSA-qhv9-728r-6jqg5. GCVE-2016-10002326. access.redhat.com7. access.redhat.com8. ACCESS-cve-2016-1000232

References

1. https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae2. https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b15343. https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-10002324. https://www.npmjs.com/advisories/130

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.