Skip to content

fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764 #960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764 #960

wants to merge 1 commit into from

Conversation

keith-oak
Copy link

@keith-oak keith-oak commented Jun 24, 2025
edited
Loading

Summary

Details

This PR updates the cookie dependency to version 0.7.0 which includes proper validation to prevent malicious cookie values from injecting special properties like __proto__, constructor, or prototype into JavaScript objects.

The vulnerability (CVE-2024-47764) is rated as critical with a CVSS score of 9.1/10 and could allow attackers to perform prototype pollution attacks through specially crafted cookie values.

Changes Made

  • Updated cookie from ^0.5.0 to ^0.7.0 in package.json
  • Ran npm install to update package-lock.json accordingly

Testing

  • ✅ All unit tests pass (npm test)
  • ✅ Build completes successfully (npm run build)
  • ✅ No breaking changes - cookie 0.7.0 maintains backward compatibility

References

@keith-oak
fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764
7e1f5d3 
Updates the cookie package from ^0.5.0 to ^0.7.0 to fix a critical security vulnerability (CVE-2024-47764) that allows malicious cookie values to inject unexpected key-value pairs into JavaScript objects.

The vulnerability could allow attackers to inject special properties like __proto__, constructor, or prototype through malicious cookie values.

Cookie 0.7.0 includes proper validation to prevent these injection attacks while maintaining backward compatibility.
This was referenced Jun 24, 2025
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cjk7989 cjk7989 Awaiting requested review from cjk7989 cjk7989 is a code owner

@jessieyyt jessieyyt Awaiting requested review from jessieyyt jessieyyt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerable dependency cookie < 0.7.0
1 participant
@keith-oak