Skip to content

Update tough-cookie version due to security vulnerability #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 22, 2017
Merged

Update tough-cookie version due to security vulnerability #13

merged 1 commit into from
Sep 22, 2017

Conversation

@sophieklm
Copy link
Contributor

@sophieklm sophieklm commented Sep 22, 2017

There has been a new release of tough-cookie to fix the following:

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable

See: https://nodesecurity.io/advisories/525

@coveralls
Copy link

coveralls commented Sep 22, 2017
edited
Loading

Coverage Status

Coverage remained the same at 100.0% when pulling 7f2bff2 on sophieklm:tough-cookie-update into 7239e1e on request:master.

@analog-nico analog-nico merged commit 1b7306e into request:master Sep 22, 2017
@analog-nico
Copy link
Member

analog-nico commented Sep 22, 2017

Thanks a lot @sophieklm ! I just published [email protected] which includes the fix.

@build build mentioned this pull request Dec 6, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sophieklm @coveralls @analog-nico