CVE-2022-25901
Published: 18 January 2023
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Priority
Status
Package | Release | Status |
---|---|---|
node-cookiejar Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Not vulnerable
(code not present)
|
|
jammy |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Not vulnerable
(2.1.4+~2.1.2-1)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(2.1.4+~2.1.2-1)
|
|
xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |