CVE-2024-47764: cookie accepts cookie name, path, and domain with out of bounds characters

October 4, 2024

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

References

github.com/advisories/GHSA-pxg6-pf52-xh8x
github.com/jshttp/cookie
github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c
github.com/jshttp/cookie/pull/167
github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x
nvd.nist.gov/vuln/detail/CVE-2024-47764

Detect and mitigate CVE-2024-47764 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →