CVE-2017-18589

Name of the Vulnerable Software and Affected Versions cookie crate versions prior to 0.7.6

Description The issue arises when large integers are used in the Max-Age of a cookie, causing a panic. This occurs because affected versions of the crate use the time crate and the Duration::seconds method to parse the Max-Age duration cookie setting. If the value is greater than 2^64/1000 and less than or equal to 2^64, the method will panic, potentially resulting in denial of service for a client or server.

Recommendations For versions prior to 0.7.6, update to version 0.7.6 or later to resolve the issue. As a temporary workaround, consider explicitly checking for the Max-Age being in the specified integer range and clamping the value to the maximum duration value to prevent the panic.