Vulnerability in dependency tough-cookie, through request #84
Description
I am seeing a Critical vulnerability showing up in my app due to tough-cookie:2.5.0 and when I trace it, I see it's coming from [email protected].
+-- [email protected]
| `-- [email protected]
| `-- [email protected]
The problem is that the responsible library is deprecated: https://www.npmjs.com/package/request
So the solution is to remove that library, and replacements are being discussed here: request/request#3143
I recommend enabling security scanning on this repository so that you can get automatic notifications of vulnerabilities faster than community reports like this one.
Details
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
Versions of the package tough-cookie before 4.1.3 is vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.Severity: Critical
Tool: Dependency Scanning
Scanner: GemnasiumLinks
salesforce/tough-cookie@12d4747
salesforce/tough-cookie#282
https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
https://nvd.nist.gov/vuln/detail/CVE-2023-26136
https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873Identifiers
Gemnasium-d118b621-5e35-4aa7-895e-dcee6984cb08
CVE-2023-26136
Evidence
Vulnerable Package
tough-cookie:2.5.0