CVE-2017-15010
Denial of Service vulnerability in tough-cookie (npm)
What is CVE-2017-15010 About?
This is a Regular Expression Denial of Service (ReDoS) vulnerability in `tough-cookie`, which can be triggered by specially crafted input. While amplification is low, it can lead to significant impact if the Node.js `HTTP_MAX_HEADER_SIZE` is large. Exploitation involves providing a malicious string to the cookie parser.
Affected Software
Technical Details
Affected versions of the tough-cookie package are susceptible to a Regular Expression Denial of Service (ReDoS) attack. This occurs when a specially crafted, lengthy input string (e.g., a cookie header) containing specific patterns causes a regular expression engine to enter an extremely inefficient state, consuming excessive CPU resources. While the base amplification is noted as relatively low for a 50,000 character input, the impact can be amplified significantly if the Node.js runtime is compiled with a large HTTP_MAX_HEADER_SIZE, allowing for much longer malicious inputs to be processed and maximize the CPU exhaustion effect, leading to a denial of service.
What is the Impact of CVE-2017-15010?
Successful exploitation may allow attackers to cause the application to consume excessive CPU resources when processing crafted input, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2017-15010?
Exploitation is of low to moderate complexity. It requires an attacker to provide a specially crafted malicious string (e.g., within an HTTP header or similar input that tough-cookie processes). This is typically a remote vulnerability, as the attacker delivers the malicious input over a network protocol. No authentication is strictly required, as the vulnerability typically lies in how input is parsed before authentication. The main prerequisites are an application using tough-cookie to process untrusted input and potentially a Node.js environment configured with a large HTTP_MAX_HEADER_SIZE. The risk increases significantly in publicly exposed web applications that parse HTTP headers from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-15010?
About the Fix from Resolved Security
The patch limits the number of consecutive spaces that the cookie-parsing regular expressions match to 256, preventing excessive backtracking when parsing strings with extremely long space sequences. This mitigates the Regular Expression Denial of Service (ReDoS) vulnerability described in CVE-2017-15010, which was exploitable by feeding crafted input with large amounts of whitespace, causing the parser to hang or consume excessive CPU.
Available Upgrade Options
- tough-cookie
- <2.3.3 → Upgrade to 2.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/101185
- https://access.redhat.com/errata/RHSA-2018:1264
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT
- https://www.npmjs.com/advisories/525
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2017:2912
- https://access.redhat.com/errata/RHSA-2017:2913
- https://github.com/advisories/GHSA-g7q5-pjjr-gqvp
- https://github.com/salesforce/tough-cookie/issues/92
- https://nodesecurity.io/advisories/525
What are Similar Vulnerabilities to CVE-2017-15010?
Similar Vulnerabilities: CVE-2016-4322 , CVE-2018-3720 , CVE-2019-10744 , CVE-2020-15167 , CVE-2021-3807
