Miggo Logo

CVE-2016-1000232: ReDoS via long string of semicolons in tough-cookie

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.75441%
Published
10/10/2018
Updated
4/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
tough-cookienpm< 2.3.02.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how cookie attributes were parsed using a regex with \s*;\s* pattern. This regex contains multiple quantifiers with overlapping match possibilities (whitespace before/after semicolons), leading to exponential time complexity when processing long semicolon sequences. The commit patching this vulnerability replaced the regex split with a simple ';' split followed by trim(), eliminating the backtracking vulnerability. The test case added in parsing_test.js with 65535 semicolons specifically validates this fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `tou**-*ooki*` m*y ** vuln*r**l* to r**ul*r *xpr*ssion **ni*l o* s*rvi** w**n lon* strin*s o* s*mi*olons *xist in t** `S*t-*ooki*` *****r. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*ms *rom *ow *ooki* *ttri*ut*s w*r* p*rs** usin* * r***x wit* \s*;\s* p*tt*rn. T*is r***x *ont*ins multipl* qu*nti*i*rs wit* ov*rl*ppin* m*t** possi*iliti*s (w*it*sp*** ***or*/**t*r s*mi*olons), l***in* to *xpon*nti*l tim* *ompl*x