Skip to content

express-session vulnerability since it is still using a very old cookie-signature version #989

@andiclone

Description

@andiclone

Vulnerability

express-session, even in the latest v1.18.0, is still using cookie-signature v1.0.7 which is over a year old and it has a 'sha1' vulnerability: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/

Problem

In my project I have this reported since over 5 months ago with the latest change in this package, but still no newer version has come out to fix this vulnerability

Solution

Upgrade the dependency on cookie-signature to a newer version, ideally 1.2.1 where it changes the old sha1 standard to a much more secure and updated sha256

Notes

This is my first time posting an issue here so if I'm missing something please let me know :)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions