CVE-2022-25901

Exploit

EPSS 0.07%
Veröffentlicht 18.01.2023 05:15:11
Zuletzt bearbeitet 13.02.2025 17:15:39
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cookiejar Project ≫ Cookiejar SwPlatformnode.js Version <= 2.1.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.212

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73

Broken Link

https://github.com/bmeck/node-cookiejar/pull/39

Patch

Third Party Advisory

https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/09/msg00008.html

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681

Third Party Advisory

Exploit