Serverless Examples – A collection of boilerplates and examples of serverless architectures built with the Serverless Framework on AWS Lambda, Microsoft Azure, Google Cloud Functions, and more.
Path to dependency file: /aws-node-typescript-nest/package.json
Path to vulnerable library: /aws-node-typescript-nest/node_modules/cookiejar/package.json,/aws-node-typescript-apollo-lambda/node_modules/cookiejar/package.json,/aws-node-oauth-dropbox-api/node_modules/cookiejar/package.json,/aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda/node_modules/cookiejar/package.json
Path to dependency file: /aws-node-signed-uploads/package.json
Path to vulnerable library: /aws-node-signed-uploads/node_modules/cookiejar/package.json,/aws-node-rest-api-typescript-simple/node_modules/cookiejar/package.json,/aws-node-http-api-typescript/node_modules/cookiejar/package.json,/aws-rust-simple-http-endpoint/node_modules/cookiejar/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/cookiejar/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/cookiejar/package.json,/aws-node-dynamic-image-resizer/node_modules/cookiejar/package.json,/aws-node-puppeteer/node_modules/cookiejar/package.json,/aws-golang-auth-examples/node_modules/cookiejar/package.json
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
CVE-2022-25901 - High Severity Vulnerability
cookiejar-2.1.2.tgz
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz
Path to dependency file: /aws-node-typescript-nest/package.json
Path to vulnerable library: /aws-node-typescript-nest/node_modules/cookiejar/package.json,/aws-node-typescript-apollo-lambda/node_modules/cookiejar/package.json,/aws-node-oauth-dropbox-api/node_modules/cookiejar/package.json,/aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda/node_modules/cookiejar/package.json
Dependency Hierarchy: - serverless-1.27.3.tgz (Root Library) - json-refs-2.1.7.tgz - path-loader-1.0.4.tgz - superagent-3.8.3.tgz - :x: **cookiejar-2.1.2.tgz** (Vulnerable Library)
cookiejar-2.1.3.tgz
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz
Path to dependency file: /aws-node-signed-uploads/package.json
Path to vulnerable library: /aws-node-signed-uploads/node_modules/cookiejar/package.json,/aws-node-rest-api-typescript-simple/node_modules/cookiejar/package.json,/aws-node-http-api-typescript/node_modules/cookiejar/package.json,/aws-rust-simple-http-endpoint/node_modules/cookiejar/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/cookiejar/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/cookiejar/package.json,/aws-node-dynamic-image-resizer/node_modules/cookiejar/package.json,/aws-node-puppeteer/node_modules/cookiejar/package.json,/aws-golang-auth-examples/node_modules/cookiejar/package.json
Dependency Hierarchy: - serverless-1.83.3.tgz (Root Library) - json-refs-3.0.15.tgz - path-loader-1.0.10.tgz - superagent-3.8.3.tgz - :x: **cookiejar-2.1.3.tgz** (Vulnerable Library)
Found in base branch: master
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution (cookiejar): 2.1.4
Direct dependency fix Resolution (serverless): 1.28.0
Fix Resolution (cookiejar): 2.1.4
Direct dependency fix Resolution (serverless): 2.0.0-05627d62
Step up your Open Source Security Game with Mend here