CVE-2022-25901 — MEDIUM (5.3)

Q: What is CVE-2022-25901?

CVE-2022-25901 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Q: How severe is CVE-2022-25901?

CVE-2022-25901 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-25901?

Check the references section above for vendor advisories and patch information. Affected products include: Cookiejar Project Cookiejar.

Vulnerability Description

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Cookiejar Project	Cookiejar	<= 2.1.3

Related Weaknesses (CWE)

CWE-1333

References

https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73Broken Link
https://github.com/bmeck/node-cookiejar/pull/39PatchThird Party Advisory
https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde82PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00008.html
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681ExploitThird Party Advisory
https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984ExploitThird Party Advisory
https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73Broken Link
https://github.com/bmeck/node-cookiejar/pull/39PatchThird Party Advisory
https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde82PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00008.html
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681ExploitThird Party Advisory
https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984ExploitThird Party Advisory

FAQ

What is CVE-2022-25901?

CVE-2022-25901 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

How severe is CVE-2022-25901?

CVE-2022-25901 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-25901?

Check the references section above for vendor advisories and patch information. Affected products include: Cookiejar Project Cookiejar.