GHSA-5j35-xr4g-vwf4: @grackle-ai/server has a Missing Secure Flag on Session Cookie

March 25, 2026

The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections.

Since the server binds to 127.0.0.1 by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when --allow-network is used to bind to 0.0.0.0, cookies could be transmitted over insecure network connections and intercepted by an attacker.

Affected code:

packages/server/src/session.ts:76 — cookie string lacks ; Secure attribute

References

github.com/advisories/GHSA-5j35-xr4g-vwf4
github.com/nick-pape/grackle
github.com/nick-pape/grackle/security/advisories/GHSA-5j35-xr4g-vwf4

Code Behaviors & Features

Detect and mitigate GHSA-5j35-xr4g-vwf4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →