VulnerableCode Package Details - pkg:npm/tough-cookie@2.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-3buh-pfq7-9kf2 Aliases: GMS-2017-210	Regular Expression Denial of Service The `tough-cookie` module is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the `-DHTTP_MAX_HEADER_SIZE=` option the default header max length is kb so the impact of the ReDoS is limited to around seconds of blocking.	2.3.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-am2z-v7gj-nqch Aliases: CVE-2017-15010 GHSA-g7q5-pjjr-gqvp	Uncontrolled Resource Consumption An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.	2.3.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-gcrq-1at1-bygq Aliases: CVE-2016-1000232 GHSA-qhv9-728r-6jqg	Improper Input Validation NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.	2.3.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-wjaq-7np6-z3bk Aliases: CVE-2023-26136 GHSA-72xf-g2v4-qvf3	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Versions of the package tough-cookie before 4.1.3 is vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.	4.1.3 Affected by 0 other vulnerabilities.
VCID-z4vf-knv2-7qeb Aliases: GMS-2016-49	ReDoS via long string of semicolons Tough-cookie contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.	2.3.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3buh-pfq7-9kf2
Aliases:
GMS-2017-210

Regular Expression Denial of Service The `tough-cookie` module is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the `-DHTTP_MAX_HEADER_SIZE=` option the default header max length is kb so the impact of the ReDoS is limited to around seconds of blocking.

2.3.3
Affected by 1 other vulnerability.

VCID-am2z-v7gj-nqch
Aliases:
CVE-2017-15010
GHSA-g7q5-pjjr-gqvp

Uncontrolled Resource Consumption An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

2.3.3
Affected by 1 other vulnerability.

VCID-gcrq-1at1-bygq
Aliases:
CVE-2016-1000232
GHSA-qhv9-728r-6jqg

Improper Input Validation NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

2.3.0
Affected by 3 other vulnerabilities.

VCID-wjaq-7np6-z3bk
Aliases:
CVE-2023-26136
GHSA-72xf-g2v4-qvf3

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Versions of the package tough-cookie before 4.1.3 is vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

4.1.3
Affected by 0 other vulnerabilities.

VCID-z4vf-knv2-7qeb
Aliases:
GMS-2016-49

ReDoS via long string of semicolons Tough-cookie contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.

2.3.0
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:32:50.086633+00:00	GitLab Importer	Affected by	VCID-wjaq-7np6-z3bk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2023-26136.yml	38.4.0
2026-04-16T20:47:52.812568+00:00	GitLab Importer	Affected by	VCID-gcrq-1at1-bygq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2016-1000232.yml	38.4.0
2026-04-16T20:38:57.562502+00:00	GitLab Importer	Affected by	VCID-am2z-v7gj-nqch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2017-15010.yml	38.4.0
2026-04-16T20:38:21.138024+00:00	GitLab Importer	Affected by	VCID-3buh-pfq7-9kf2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2017-210.yml	38.4.0
2026-04-16T20:34:25.165375+00:00	GitLab Importer	Affected by	VCID-z4vf-knv2-7qeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2016-49.yml	38.4.0
2026-04-16T01:21:47.398790+00:00	GHSA Importer	Affected by	VCID-am2z-v7gj-nqch	https://github.com/advisories/GHSA-g7q5-pjjr-gqvp	38.4.0
2026-04-11T23:51:43.214449+00:00	GitLab Importer	Affected by	VCID-wjaq-7np6-z3bk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2023-26136.yml	38.3.0
2026-04-11T21:58:45.624489+00:00	GitLab Importer	Affected by	VCID-gcrq-1at1-bygq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2016-1000232.yml	38.3.0
2026-04-11T21:49:43.254487+00:00	GitLab Importer	Affected by	VCID-am2z-v7gj-nqch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2017-15010.yml	38.3.0
2026-04-11T21:49:02.207197+00:00	GitLab Importer	Affected by	VCID-3buh-pfq7-9kf2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2017-210.yml	38.3.0
2026-04-11T21:44:53.730895+00:00	GitLab Importer	Affected by	VCID-z4vf-knv2-7qeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2016-49.yml	38.3.0
2026-04-11T12:50:48.779556+00:00	GHSA Importer	Affected by	VCID-am2z-v7gj-nqch	https://github.com/advisories/GHSA-g7q5-pjjr-gqvp	38.3.0
2026-04-02T23:54:57.136754+00:00	GitLab Importer	Affected by	VCID-wjaq-7np6-z3bk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2023-26136.yml	38.1.0
2026-04-02T22:12:04.459573+00:00	GitLab Importer	Affected by	VCID-gcrq-1at1-bygq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2016-1000232.yml	38.1.0
2026-04-02T22:03:33.175738+00:00	GitLab Importer	Affected by	VCID-am2z-v7gj-nqch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2017-15010.yml	38.1.0
2026-04-02T22:02:56.124532+00:00	GitLab Importer	Affected by	VCID-3buh-pfq7-9kf2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2017-210.yml	38.1.0
2026-04-02T21:58:56.827129+00:00	GitLab Importer	Affected by	VCID-z4vf-knv2-7qeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2016-49.yml	38.1.0
2026-04-02T13:44:19.671374+00:00	GHSA Importer	Affected by	VCID-am2z-v7gj-nqch	https://github.com/advisories/GHSA-g7q5-pjjr-gqvp	38.1.0
2026-04-01T16:54:46.368060+00:00	Npm Importer	Affected by	VCID-gcrq-1at1-bygq	https://github.com/nodejs/security-wg/blob/main/vuln/npm/130.json	38.0.0
2026-04-01T16:29:26.192201+00:00	GitLab Importer	Affected by	VCID-gcrq-1at1-bygq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2016-1000232.yml	38.0.0
2026-04-01T16:20:36.742258+00:00	GitLab Importer	Affected by	VCID-am2z-v7gj-nqch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/CVE-2017-15010.yml	38.0.0
2026-04-01T16:20:06.109414+00:00	GitLab Importer	Affected by	VCID-3buh-pfq7-9kf2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2017-210.yml	38.0.0
2026-04-01T12:47:05.257193+00:00	GitLab Importer	Affected by	VCID-z4vf-knv2-7qeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tough-cookie/GMS-2016-49.yml	38.0.0