ms-rest-js icon indicating copy to clipboard operation
ms-rest-js copied to clipboard
verified publisher icon Azure

The Dependency tough-cookie need to be upgraded

Open haven2world opened this issue 2 years ago • 2 comments

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Could we upgrade to version [email protected]?

haven2world avatar Jul 03 '23 08:07 haven2world

The vulnerability in tough-cookie versions before 4.1.3 is tracked here: https://nvd.nist.gov/vuln/detail/CVE-2023-26136 This is generating alerts in our component governance that I suspect will be hit by others as well.

astegmaier avatar Jul 03 '23 19:07 astegmaier

Looking forward to the new release. Before that I'm going to override the version of tough-cookie as a workaround locally. I ran the UT locally and it looked well. Do you have any concern? Thanks!

haven2world avatar Jul 04 '23 02:07 haven2world