This package has limited bug data (1 entry). Check back later or see the package health page for the full signal.

cookie known bugs

npm

1 known bug in cookie, with affected versions, fixes and workarounds. Sourced from upstream issue trackers.

bugs

Known bugs

Severity	Affected	Fixed in	Title	Status	Source
low	any	0.7.0	cookie accepts cookie name, path, and domain with out of bounds characters ### Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value)` would result in `"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test"`, setting `userName` cookie to `<script>` and ignoring `value`. A similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie. ### Patches Upgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`. ### Workarounds Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input. ### References * https://github.com/jshttp/cookie/pull/167	fixed

Get this data programmatically \u2014 free, no authentication.

curl https://depscope.dev/api/bugs/npm/cookie