CVE-2022-25901

MEDIUM

cookiejar < 2.1.4 - Denial of Service via Insecure Regular Expression in Cookie.parse

Title source: llm

Description

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

References (6)

Core 6

Core References

Broken Link

https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73

Patch, Third Party Advisory

https://github.com/bmeck/node-cookiejar/pull/39

Patch, Third Party Advisory

https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5

Exploit, Third Party Advisory

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681

Exploit, Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984

Mailing List

https://lists.debian.org/debian-lts-announce/2023/09/msg00008.html

Scores

CVSS v3 5.3

EPSS 0.0155

EPSS Percentile 71.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (3)

cookiejar_project/cookiejar < 2.1.3

npm/cookiejar 0 - 2.1.4npm

org.webjars.npm/cookiejar 0Maven

Published Jan 18, 2023

Tracked Since Feb 18, 2026