tough-cookie is vulnerable to regular expression denial-of-service (ReDoS) attack. A malicious user can pass a long string that contains many semicolons in the Set-Cookies header, causing a regular expression to take a large amount of time, causing a denial of service condition.