Vulnerability in dependency, cookie 0.6.0 #13714
Description
Describe the bug
Impact
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Patches
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Reproduction
npm audit
Logs
System Info
System:
OS: Windows 11 10.0.26100
CPU: (8) x64 AMD Ryzen 7 3700U with Radeon Vega Mobile Gfx
Memory: 928.29 MB / 9.95 GB
Binaries:
Node: 22.12.0 - C:\Program Files\nodejs\node.EXE
npm: 11.3.0 - C:\Program Files\nodejs\npm.CMD
pnpm: 10.8.1 - ~\AppData\Roaming\npm\pnpm.CMD
Browsers:
Edge: Chromium (131.0.2903.146)
Internet Explorer: 11.0.26100.1882Severity
annoyance
Additional Information
{
"actions": [
{
"action": "review",
"module": "cookie",
"resolves": [
{
"id": 1099846,
"path": ".>@sveltejs/kit>cookie",
"dev": false,
"optional": false,
"bundled": false
}
]
}
],
"advisories": {
"1099846": {
"findings": [
{
"version": "0.6.0",
"paths": [
".>@sveltejs/kit>cookie"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
"created": "2024-10-04T20:31:00.000Z",
"id": 1099846,
"npm_advisory_id": null,
"overview": "### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167",
"reported_by": null,
"title": "cookie accepts cookie name, path, and domain with out of bounds characters",
"metadata": null,
"cves": [
"CVE-2024-47764"
],
"access": "public",
"severity": "low",
"module_name": "cookie",
"vulnerable_versions": "<0.7.0",
"github_advisory_id": "GHSA-pxg6-pf52-xh8x",
"recommendation": "Upgrade to version 0.7.0 or later",
"patched_versions": ">=0.7.0",
"updated": "2024-10-04T20:31:01.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-74"
],
"url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 0,
"high": 0,
"critical": 0
},
"dependencies": 528,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 528
}
}