CVE-2022-25901
node-cookiejar - security update
5.3
MEDIUM
CVSS 3.1
EPSS 0.07%
Description
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
How to fix CVE-2022-25901
To remediate CVE-2022-25901, upgrade the affected package to a fixed version below.
- Debian/node-cookiejar—upgrade to 2.1.2-1+deb11u1 or later
- —upgrade to 2.0.1-1+deb10u1 or later
- —no fix listed
- —upgrade to 2.1.4 or later
Is CVE-2022-25901 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.1.2-1+deb11u1
- from 0, < 2.0.1-1+deb10u1
- from 0, <= 2.1.3
- from 0, < 2.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |