CVE-2022-25901

2023-01-1805:00:01

snyk

www.cve.org

security vulnerability

cookiejar

redos

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

0.003 Low

EPSS

Percentile

67.9%

JSON

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

CNA Affected

[
  {
    "product": "cookiejar",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.1.4",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "org.webjars.npm:cookiejar",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]