Skip to content

fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764 #960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
keith-oak wants to merge 1 commit into from
Closed

fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764 #960

keith-oak wants to merge 1 commit into from

Conversation

@keith-oak
Copy link

@keith-oak keith-oak commented Jun 24, 2025
edited
Loading

Summary

Details

This PR updates the cookie dependency to version 0.7.0 which includes proper validation to prevent malicious cookie values from injecting special properties like __proto__, constructor, or prototype into JavaScript objects.

The vulnerability (CVE-2024-47764) is rated as critical with a CVSS score of 9.1/10 and could allow attackers to perform prototype pollution attacks through specially crafted cookie values.

Changes Made

  • Updated cookie from ^0.5.0 to ^0.7.0 in package.json
  • Ran npm install to update package-lock.json accordingly

Testing

  • ✅ All unit tests pass (npm test)
  • ✅ Build completes successfully (npm run build)
  • ✅ No breaking changes - cookie 0.7.0 maintains backward compatibility

References

@keith-oak
fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764
7e1f5d3 
Updates the cookie package from ^0.5.0 to ^0.7.0 to fix a critical security vulnerability (CVE-2024-47764) that allows malicious cookie values to inject unexpected key-value pairs into JavaScript objects.

The vulnerability could allow attackers to inject special properties like __proto__, constructor, or prototype through malicious cookie values.

Cookie 0.7.0 includes proper validation to prevent these injection attacks while maintaining backward compatibility.
This was referenced Jun 24, 2025
Closed
Closed
Open
@keith-oak keith-oak closed this by deleting the head repository Aug 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cjk7989 cjk7989 Awaiting requested review from cjk7989 cjk7989 is a code owner

@jessieyyt jessieyyt Awaiting requested review from jessieyyt jessieyyt is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Vulnerable dependency cookie < 0.7.0

1 participant

@keith-oak