6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-47764

GHSA ID

GHSA-pxg6-pf52-xh8x

EPSS Score

0.16888%

CWE

CWE-74

Published

10/4/2024

Updated

4/15/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-47764

CVE-2024-47764: cookie accepts cookie name, path, and domain with out of bounds characters

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-47764

CVE-2024-47764:

6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-47764

GHSA ID

GHSA-pxg6-pf52-xh8x

EPSS Score

0.16888%

CWE

CWE-74

Published

10/4/2024

Updated

4/15/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cookie	npm	< 0.7.0	0.7.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly points to issues in how cookie names, paths, and domains are handled, specifically within the serialization process. The provided commit e10042845354fea83bd8f34af72475eed1dadf5c directly modifies the serialize function in index.js. The changes involve replacing a general regular expression (fieldContentRegExp) with more specific and stricter ones (cookieNameRegExp, cookieValueRegExp, domainValueRegExp, pathValueRegExp) for validating these components. This indicates that the serialize function was the point where the insufficient validation occurred, making it the vulnerable function. The tests in test/serialize.js were also updated to reflect these new, stricter validation rules, further confirming that serialize is the function of interest.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-47764: cookie accepts cookie name, path, and domain with out of bounds characters

Impact

Patches

Workarounds

References

CVE-2024-47764:

6.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

6.9

6.9

CVE-2024-47764: cookie accepts cookie name, path, and domain with out of bounds characters

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI