Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Dependency tough-cookie need to be upgraded #483

Open
haven2world opened this issue Jul 3, 2023 · 2 comments
Open

The Dependency tough-cookie need to be upgraded #483

haven2world opened this issue Jul 3, 2023 · 2 comments

Comments

@haven2world
Copy link

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Could we upgrade to version tough-cookie@4.1.3?
@astegmaier
Copy link

The vulnerability in tough-cookie versions before 4.1.3 is tracked here: https://nvd.nist.gov/vuln/detail/CVE-2023-26136 This is generating alerts in our component governance that I suspect will be hit by others as well.

@haven2world
Copy link
Author

Looking forward to the new release. Before that I'm going to override the version of tough-cookie as a workaround locally. I ran the UT locally and it looked well. Do you have any concern?
Thanks!

This was referenced Jul 5, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@astegmaier @haven2world