Vulnerability in cookiejar CVE-2022-25901

chaijs / chai-http

HTTP Response assertions for the Chai Assertion Library.

http://chaijs.com/plugins/chai-http

632 stars 112 forks source link

Vulnerability in cookiejar CVE-2022-25901 #305

Closed gamboaa closed 1 year ago

gamboaa commented 1 year ago

The current version of this package depends on cookiejar@2.1.2 which has a known vulnerability.

CVE-2022-25901

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

─┬ chai-http@4.3.0 ├── cookiejar@2.1.2 └─┬ superagent@3.8.3 └── cookiejar@2.1.2 deduped

keithamus commented 1 year ago

This is a development dependency that should not be run in production code. Denials of service attacks are only pertinent to long running public facing services. If someone manages to craft a cookie which causes chai-http to hang, then the user will kill the hanging test harness and move on with their day.

I'm closing this as wontfix.