Skip to content

Fix CVE–2024–47764 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CVE–2024–47764 #1

wants to merge 1 commit into from

Conversation

@debricked
Copy link

@debricked debricked bot commented Apr 14, 2025

CVE–2024–47764

Vulnerability details

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

NVD

cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.

GitHub

cookie accepts cookie name, path, and domain with out of bounds characters

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

GitLab Advisory Database (Open Source Edition)

cookie accepts cookie name, path, and domain with out of bounds characters

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

CVSS details

    No information

References

    NVD - CVE-2024-47764
    cookie accepts cookie name, path, and domain with out of bounds characters ?? CVE-2024-47764 ?? GitHub Advisory Database ?? GitHub
    npm/cookie/CVE-2024-47764.yml · main · GitLab.org / GitLab Advisory Database Open Source Edition · GitLab
    fix: narrow the validation of cookies to match RFC6265 by bewinsnw ?? Pull Request #167 ?? jshttp/cookie ?? GitHub
    Cookie name, path, and domain accept out of bounds characters ?? Advisory ?? jshttp/cookie ?? GitHub
    fix: narrow the validation of cookies to match RFC6265 (#167) ?? jshttp/cookie@e100428 ?? GitHub
    GitHub - jshttp/cookie: HTTP server cookie parsing and serialization

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant