First published: Thu Sep 21 2017(Updated: )
Affected versions of `tough-cookie` are susceptible to a regular expression denial of service. The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length. If node was compiled using the `-DHTTP_MAX_HEADER_SIZE` however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node. ## Recommendation Update to version 2.3.3 or later.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/tough-cookie | <2.3.3 | 2.3.3 |
Salesforce Tough-cookie | <=2.3.2 | |
npm/tough-cookie | <2.3.3 | 2.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.