CVE-2019-25091: nsupdate.info has Sensitive Cookie Without 'HttpOnly' Flag
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.22577%
CWE
Published
12/28/2022
Updated
2/2/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| nsupdate | pip | <= 0.12.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the Django configuration setting CSRF_COOKIE_HTTPONLY being disabled (False) in base.py. The commit 60a3fe5 explicitly changes this value from False to True to fix the issue. While not a traditional function, this configuration parameter directly controls the HttpOnly flag behavior for the CSRF cookie, making it the root cause. The GitHub PR #410 and commit diff confirm this was the vulnerable point.