📂 Vulnerable Library - cookie-parser-1.4.6.tgz
Parse HTTP request cookies
Path to dependency file: /backend/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2024-47764 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
cookie-0.4.1.tgz |
Transitive |
N/A |
❌ |
 Reachable |
Details
🟠CVE-2024-47764
Vulnerable Library - cookie-0.4.1.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz
Path to dependency file: /backend/package.json
Dependency Hierarchy:
- cookie-parser-1.4.6.tgz (Root Library)
- ❌ cookie-0.4.1.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- damn-vulnerable-crypto-app-backend-1.0.0/src/app.ts (Application)
- cookie-parser-1.4.6/index.js (Extension)
-> ❌ cookie-0.4.1/index.js (Vulnerable Component)
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0
📂 Vulnerable Library - cookie-parser-1.4.6.tgz
Parse HTTP request cookies
Path to dependency file: /backend/package.json
Findings
Details
🟠CVE-2024-47764
Vulnerable Library - cookie-0.4.1.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz
Path to dependency file: /backend/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: Oct 04, 2024 07:09 PM
URL: CVE-2024-47764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: Oct 04, 2024 07:09 PM
Fix Resolution : cookie - 0.7.0