{"url":"http://public2.vulnerablecode.io/api/packages/156378?format=json","purl":"pkg:npm/tough-cookie@0.9.13","type":"npm","namespace":"","name":"tough-cookie","version":"0.9.13","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.1.3","latest_non_vulnerable_version":"4.1.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8190?format=json","vulnerability_id":"VCID-3buh-pfq7-9kf2","summary":"Regular Expression Denial of Service\nThe `tough-cookie` module is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the `-DHTTP_MAX_HEADER_SIZE=` option the default header max length is kb so the impact of the ReDoS is limited to around seconds of blocking.","references":[{"reference_url":"https://github.com/salesforce/tough-cookie/issues/92","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/salesforce/tough-cookie/issues/92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24760?format=json","purl":"pkg:npm/tough-cookie@2.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wjaq-7np6-z3bk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tough-cookie@2.3.3"}],"aliases":["GMS-2017-210"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3buh-pfq7-9kf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8294?format=json","vulnerability_id":"VCID-am2z-v7gj-nqch","summary":"Uncontrolled Resource Consumption\nAn attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2912","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:2912"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2913","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:2913"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1263","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1263"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1264","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1264"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15010.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15010.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15010","reference_id":"","reference_type":"","scores":[{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88387","published_at":"2026-05-05T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.8829","published_at":"2026-04-01T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88298","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88313","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88317","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88336","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88342","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88353","published_at":"2026-04-21T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88344","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88358","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88354","published_at":"2026-04-18T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.8837","published_at":"2026-04-24T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88375","published_at":"2026-04-26T12:55:00Z"},{"value":"0.03942","scoring_system":"epss","scoring_elements":"0.88376","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15010"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15010","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15010"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/advisories/GHSA-g7q5-pjjr-gqvp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g7q5-pjjr-gqvp"},{"reference_url":"https://github.com/salesforce/tough-cookie","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie"},{"reference_url":"https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d"},{"reference_url":"https://github.com/salesforce/tough-cookie/issues/92","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie/issues/92"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/"},{"reference_url":"https://nodesecurity.io/advisories/525","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/525"},{"reference_url":"https://snyk.io/vuln/npm:tough-cookie:20170905","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/npm:tough-cookie:20170905"},{"reference_url":"https://www.npmjs.com/advisories/525","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/525"},{"reference_url":"http://www.securityfocus.com/bid/101185","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/101185"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1493989","reference_id":"1493989","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1493989"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877660","reference_id":"877660","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877660"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*","reference_id":"cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15010","reference_id":"CVE-2017-15010","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:P"},{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15010"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24760?format=json","purl":"pkg:npm/tough-cookie@2.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wjaq-7np6-z3bk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tough-cookie@2.3.3"}],"aliases":["CVE-2017-15010","GHSA-g7q5-pjjr-gqvp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-am2z-v7gj-nqch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9889?format=json","vulnerability_id":"VCID-gcrq-1at1-bygq","summary":"Improper Input Validation\nNodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:2101","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2016:2101"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2912","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:2912"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000232.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000232.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000232","reference_id":"","reference_type":"","scores":[{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.7597","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.76059","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.7605","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.76039","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.76029","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75991","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.76006","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75909","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75913","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75945","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75923","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75956","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.76003","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75964","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75971","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00921","scoring_system":"epss","scoring_elements":"0.75994","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000232"},{"reference_url":"https://github.com/salesforce/tough-cookie","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie"},{"reference_url":"https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae"},{"reference_url":"https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534"},{"reference_url":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232"},{"reference_url":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/","reference_id":"","reference_type":"","scores":[],"url":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/"},{"reference_url":"https://www.npmjs.com/advisories/130","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/130"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/130.json","reference_id":"130","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/130.json"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1359818","reference_id":"1359818","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1359818"},{"reference_url":"https://access.redhat.com/security/cve/cve-2016-1000232","reference_id":"CVE-2016-1000232","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/cve-2016-1000232"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000232","reference_id":"CVE-2016-1000232","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000232"},{"reference_url":"https://github.com/advisories/GHSA-qhv9-728r-6jqg","reference_id":"GHSA-qhv9-728r-6jqg","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qhv9-728r-6jqg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22889?format=json","purl":"pkg:npm/tough-cookie@2.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3buh-pfq7-9kf2"},{"vulnerability":"VCID-am2z-v7gj-nqch"},{"vulnerability":"VCID-wjaq-7np6-z3bk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tough-cookie@2.3.0"}],"aliases":["CVE-2016-1000232","GHSA-qhv9-728r-6jqg"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gcrq-1at1-bygq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18166?format=json","vulnerability_id":"VCID-wjaq-7np6-z3bk","summary":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nVersions of the package tough-cookie before 4.1.3 is vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26136.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26136.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26136","reference_id":"","reference_type":"","scores":[{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90971","published_at":"2026-04-04T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90962","published_at":"2026-04-02T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90982","published_at":"2026-04-07T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91029","published_at":"2026-04-18T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91031","published_at":"2026-04-16T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91006","published_at":"2026-04-13T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91007","published_at":"2026-04-12T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90998","published_at":"2026-04-09T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90993","published_at":"2026-04-08T12:55:00Z"},{"value":"0.06423","scoring_system":"epss","scoring_elements":"0.91103","published_at":"2026-05-05T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.9115","published_at":"2026-04-21T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91163","published_at":"2026-04-24T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91161","published_at":"2026-04-26T12:55:00Z"},{"value":"0.06587","scoring_system":"epss","scoring_elements":"0.91197","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26136"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136"},{"reference_url":"https://github.com/salesforce/tough-cookie","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie"},{"reference_url":"https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e"},{"reference_url":"https://github.com/salesforce/tough-cookie/issues/282","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://github.com/salesforce/tough-cookie/issues/282"},{"reference_url":"https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240621-0006","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2219310","reference_id":"2219310","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2219310"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/","reference_id":"3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/","reference_id":"6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26136","reference_id":"CVE-2023-26136","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26136"},{"reference_url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3","reference_id":"GHSA-72xf-g2v4-qvf3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3998","reference_id":"RHSA-2023:3998","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3998"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5006","reference_id":"RHSA-2023:5006","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5006"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5541","reference_id":"RHSA-2023:5541","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5541"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5542","reference_id":"RHSA-2023:5542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7222","reference_id":"RHSA-2023:7222","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7222"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8676","reference_id":"RHSA-2024:8676","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8676"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0082","reference_id":"RHSA-2025:0082","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0082"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0164","reference_id":"RHSA-2025:0164","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0164"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0323","reference_id":"RHSA-2025:0323","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0323"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58539?format=json","purl":"pkg:npm/tough-cookie@4.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tough-cookie@4.1.3"}],"aliases":["CVE-2023-26136","GHSA-72xf-g2v4-qvf3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wjaq-7np6-z3bk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7462?format=json","vulnerability_id":"VCID-z4vf-knv2-7qeb","summary":"ReDoS via long string of semicolons\nTough-cookie contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the \"Set-Cookie\" header, causes the event loop to block for excessive amounts of time.","references":[{"reference_url":"https://github.com/SalesforceEng/tough-cookie/pull/68","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/SalesforceEng/tough-cookie/pull/68"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22889?format=json","purl":"pkg:npm/tough-cookie@2.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3buh-pfq7-9kf2"},{"vulnerability":"VCID-am2z-v7gj-nqch"},{"vulnerability":"VCID-wjaq-7np6-z3bk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tough-cookie@2.3.0"}],"aliases":["GMS-2016-49"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z4vf-knv2-7qeb"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tough-cookie@0.9.13"}