You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Prototype Pollution in tough-cookie:
Allows attackers to manipulate object prototypes, potentially leading to denial of service or arbitrary code execution.
Server-Side Request Forgery (SSRF) in request:
Enables attackers to make unauthorized network requests, potentially exposing sensitive internal systems.
Impact
tough-cookie users who process untrusted cookies are at risk of prototype pollution attacks.
request users are vulnerable to SSRF if they accept unvalidated user input for constructing HTTP requests.
Workarounds
To mitigate risks:
Avoid using tough-cookie and request. Switch to alternative packages.
If unavoidable, validate and sanitize all user input to prevent exploitation.
Affected Versions
tough-cookie: All versions up to and including v0.1.0
request: All versions up to and including v0.1.0
Patched Versions
No patched versions are available for either tough-cookie or request as of now.
Description
Two vulnerabilities have been identified:
Prototype Pollution in
tough-cookie:Allows attackers to manipulate object prototypes, potentially leading to denial of service or arbitrary code execution.
Server-Side Request Forgery (SSRF) in
request:Enables attackers to make unauthorized network requests, potentially exposing sensitive internal systems.
Impact
tough-cookieusers who process untrusted cookies are at risk of prototype pollution attacks.requestusers are vulnerable to SSRF if they accept unvalidated user input for constructing HTTP requests.Workarounds
To mitigate risks:
tough-cookieandrequest. Switch to alternative packages.Affected Versions
tough-cookie: All versions up to and includingv0.1.0request: All versions up to and includingv0.1.0Patched Versions
tough-cookieorrequestas of now.References
tough-cookierequest