GHSA-g7q5-pjjr-gqvp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g7q5-pjjr-gqvp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-g7q5-pjjr-gqvp/GHSA-g7q5-pjjr-gqvp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g7q5-pjjr-gqvp
- Aliases
- Published
- 2018-07-24T20:14:39Z
- Modified
- 2023-11-08T03:58:56.101045Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Regular Expression Denial of Service in tough-cookie
- Details
-
Affected versions of
tough-cookieare susceptible to a regular expression denial of service.The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
If node was compiled using the
-DHTTP_MAX_HEADER_SIZEhowever, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.Recommendation
Update to version 2.3.3 or later.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-15010
- https://github.com/salesforce/tough-cookie/issues/92
- https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d
- https://access.redhat.com/errata/RHSA-2017:2912
- https://access.redhat.com/errata/RHSA-2017:2913
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2018:1264
- https://github.com/advisories/GHSA-g7q5-pjjr-gqvp
- https://github.com/salesforce/tough-cookie
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT
- https://snyk.io/vuln/npm:tough-cookie:20170905
- https://www.npmjs.com/advisories/525
- http://www.securityfocus.com/bid/101185
Affected packages
npm / tough-cookie
Package
- Name
- tough-cookie
- View open source insights on deps.dev
- Purl
- pkg:npm/tough-cookie