| Name | CVE-2024-47764 |
| Description | cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-cookie (PTS) | bullseye | 0.4.1-1 | vulnerable |
| bookworm | 0.5.0-2 | vulnerable | |
| sid, trixie | 0.7.1+~0.6.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-cookie | source | (unstable) | 0.7.1+~0.6.0-1 |
[bookworm] - node-cookie <no-dsa> (Minor issue)
[bullseye] - node-cookie <postponed> (Minor issue; can be fixed in next update)
https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x
https://github.com/jshttp/cookie/pull/167
https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c (v0.7.0)