CVE-2017-15010

Name of the Vulnerable Software and Affected Versions tough-cookie versions prior to 2.3.3

Description A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module for Node.js. An attacker can make an HTTP request using a specially crafted cookie to cause the application to consume an excessive amount of CPU. The amplification of this issue is relatively low, taking around 2 seconds to execute on a malicious input of 50,000 characters. However, if Node.js was compiled with the -DHTTP MAX HEADER SIZE flag, the impact can be significant due to the default max HTTP header length limitation in Node.js.

Recommendations Update to version 2.3.3 or later.