GHSA-pxg6-pf52-xh8x

Source

https://github.com/advisories/GHSA-pxg6-pf52-xh8x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-pxg6-pf52-xh8x/GHSA-pxg6-pf52-xh8x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pxg6-pf52-xh8x

Aliases

CVE-2024-47764

Downstream

MINI-jj3m-4m39-28r4

Related

Published

2024-10-04T20:31:00Z

Modified

2024-10-04T20:57:03.427374Z

Summary

cookie accepts cookie name, path, and domain with out of bounds characters

Details

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Database specific

{
    "nvd_published_at": null,
    "severity": "LOW",
    "github_reviewed_at": "2024-10-04T20:31:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74"
    ]
}

References

Affected packages

npm / cookie

Package

Name: cookie; View open source insights on deps.dev
Purl: pkg:npm/cookie

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.0