CVE-2016-1000232
Denial of service vulnerability in tough-cookie (npm)
What is CVE-2016-1000232 About?
The `tough-cookie` package is vulnerable to regular expression denial of service (ReDoS) when processing `Set-Cookie` headers containing long strings of semicolons. This can lead to the application becoming unresponsive due to excessive CPU usage during parsing. Exploitation relies on crafting a specific HTTP header.
Affected Software
Technical Details
The tough-cookie package, in affected versions, is susceptible to a regular expression denial of service when its cookie parsing logic processes Set-Cookie headers containing an unusually long sequence of semicolons. The regular expressions used internally for parsing cookie attributes and values exhibit catastrophic backtracking behavior when confronted with such malformed input. This causes the regex engine to backtrack excessively, leading to significantly increased processing time and CPU consumption, effectively freezing the application that relies on tough-cookie to process HTTP responses. The attack vector involves an attacker sending an HTTP response with a specially crafted Set-Cookie header to a client or server using the tough-cookie library.
What is the Impact of CVE-2016-1000232?
Successful exploitation may allow attackers to disrupt service availability, causing the application to become unresponsive and potentially leading to a denial of service.
What is the Exploitability of CVE-2016-1000232?
Exploitation of this ReDoS vulnerability is of low complexity. It typically requires no authentication or specific privileges, as it targets the processing of standard HTTP Set-Cookie headers. The attack can be remote, initiated by an attacker sending an HTTP response containing the malicious Set-Cookie header to a vulnerable client or by a malicious server sending it to a vulnerable client, or through a malicious intermediary. Prerequisites include the presence of the vulnerable tough-cookie version. Risk factors primarily involve the exposure of the application to potentially untrusted HTTP responses, whether from external servers or through man-in-the-middle scenarios.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-1000232?
About the Fix from Resolved Security
This patch removes a regular expression that inefficiently stripped trailing semicolons from cookie strings, which led to catastrophic backtracking and Denial of Service in CVE-2016-1000232. By switching to simpler string manipulation and iteration to process cookie attributes, it prevents regex backtracking attacks and ensures parsing works efficiently even on specially crafted malicious input.
Available Upgrade Options
- tough-cookie
- <2.3.0 → Upgrade to 2.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/130
- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/
- https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534
- https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534
- https://access.redhat.com/errata/RHSA-2016:2101
- https://github.com/advisories/GHSA-qhv9-728r-6jqg
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000232
- https://access.redhat.com/security/cve/cve-2016-1000232
- https://github.com/salesforce/tough-cookie
- https://osv.dev/vulnerability/GHSA-qhv9-728r-6jqg
What are Similar Vulnerabilities to CVE-2016-1000232?
Similar Vulnerabilities: CVE-2016-10539 , CVE-2017-16118 , CVE-2013-4002 , CVE-2015-6420
