CVE-2022-25901
Regular Expression Denial of Service (ReDoS) vulnerability in cookiejar (npm)

Regular Expression Denial of Service (ReDoS) No known exploit Fixable By Resolved Security

What is CVE-2022-25901 About?

This is a Regular Expression Denial of Service (ReDoS) vulnerability in the `cookiejar` package, affecting versions before 2.1.4. The vulnerability arises from an insecure regular expression used in the `Cookie.parse` function, which can be exploited by crafted cookie values. Its impact is a denial of service, as applications can become unresponsive or stalled for extended periods while processing malicious input.

Affected Software

  • cookiejar
    • <2.1.4
  • org.webjars.npm:cookiejar
    • <=2.1.3

Technical Details

The vulnerability is a Regular Expression Denial of Service (ReDoS) stemming from an inefficient or 'catastrophic backtracking' regular expression within the Cookie.parse function (and other related parts of the API) of the cookiejar package. When an attacker provides a specially crafted input string (e.g., a long string of repeating characters that triggers exponential time complexity in the regex engine) as a cookie value, the regular expression engine gets stuck in an extremely long computation loop. This consumes excessive CPU resources, leading to a denial of service (DoS) for the application. The provided proof-of-concept demonstrates this by showing a significant delay when setting a cookie with a long, repetitive string using jar.setCookie(), which internally calls the vulnerable parsing mechanism.

What is the Impact of CVE-2022-25901?

Successful exploitation may allow attackers to cause a denial of service (DoS) by making the application unresponsive or stalled, consuming excessive CPU resources.

What is the Exploitability of CVE-2022-25901?

Exploitation of this ReDoS vulnerability is of low complexity. It requires an attacker to provide specially crafted, untrusted input (a malicious cookie value) to the application. No authentication is typically required for this, as many applications accept cookies from unauthenticated users or external systems. Privilege requirements are minimal, as merely providing HTTP request headers with the malicious cookie is sufficient. This is primarily a remote attack, where an attacker sends a request containing a crafted cookie header to the vulnerable server or client-side application. The special condition is that the application uses the affected cookiejar package and processes untrusted input in the form of cookie values through the Cookie.parse or jar.setCookie functions. The risk factors that increase the likelihood of exploitation include any web application that parses user-supplied cookie headers without prior sanitization, especially if those headers are long or exhibit repetitive patterns that trigger the ReDoS.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-25901?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch limits the maximum length of cookie strings parsed to 32,768 characters, refusing to process longer cookies and issuing a warning. This prevents attacks exploiting excessively long cookie values to cause denial of service (DoS) through resource exhaustion, thus mitigating CVE-2022-25901.

Available Upgrade Options

  • cookiejar
    • <2.1.4 → Upgrade to 2.1.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-25901?

Similar Vulnerabilities: CVE-2022-25927 , CVE-2020-28186 , CVE-2021-23340 , CVE-2021-43285 , CVE-2022-24765

All Rights reserved 2025
Privacy Policy