tough-cookie is a RFC6265 Cookies and CookieJar module for Node.js.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can provide a cookie, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
AThe string must start with the letter 'A'
(B|C+)+The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the
+matches one or more times). The
+at the end of this section states that we can look for one or more matches of this section.
DFinally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as
It most cases, it doesn't take very long for a regex engine to find a match:
From there, the number of steps the engine must use to validate a string just continues to grow.
|String||Number of C's||Number of steps|
tough-cookie to version 2.3.0 or higher.
Snyk patch available for versions:
- <=2.2.2 >=1.0.0