Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update tough-cookie version due to security vulnerability #13

Merged
merged 1 commit into from
Sep 22, 2017

Conversation

sophieklm
Copy link
Contributor

There has been a new release of tough-cookie to fix the following:

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable

See: https://nodesecurity.io/advisories/525

@coveralls
Copy link

coveralls commented Sep 22, 2017

Coverage Status

Coverage remained the same at 100.0% when pulling 7f2bff2 on sophieklm:tough-cookie-update into 7239e1e on request:master.

@analog-nico analog-nico merged commit 1b7306e into request:master Sep 22, 2017
@analog-nico
Copy link
Member

Thanks a lot @sophieklm ! I just published request-promise-native@1.0.5 which includes the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants