Fluid Attacks Database

Description

tough-cookie Prototype Pollution vulnerability Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	tough-cookie	>=0 <4.1.3	4.1.3
debian 12	node-tough-cookie	=4.0.0-2 \|\| >=0 <4.0.0-2+deb12u1	4.0.0-2+deb12u1
debian 11	node-tough-cookie	=4.0.0-2 \|\| >=0 <4.0.0-2+deb11u1	4.0.0-2+deb11u1
debian 13	node-tough-cookie	>=0 <4.1.3+~4.0.2-1	4.1.3+~4.0.2-1
debian 14	node-tough-cookie	>=0 <4.1.3+~4.0.2-1	4.1.3+~4.0.2-1

Aliases

1. CVE-2023-261362. NVD-2023-261363. OSV-2023-261364. OSV-DEBIAN-2023-261365. GCVE-2023-261366. lists.debian.org7. SECURITY-TRACKER-CVE-2023-26136

References

1. https://github.com/salesforce/tough-cookie/issues/2822. https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e3. https://github.com/salesforce/tough-cookie/releases/tag/v4.1.34. https://lists.fedoraproject.org/archives/list/[email protected]/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT25. https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ6. https://security.netapp.com/advisory/ntap-20240621-00067. https://github.com/CUCUMBERanOrSNCompany/SealSecurityAssignment