Vulnerability in dependency, cookie 0.6.0

[htran-ubed]

Describe the bug

Impact
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches
Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Reproduction

npm audit

Logs

System Info

System:
  OS: Windows 11 10.0.26100
  CPU: (8) x64 AMD Ryzen 7 3700U with Radeon Vega Mobile Gfx
  Memory: 928.29 MB / 9.95 GB
Binaries:
  Node: 22.12.0 - C:\Program Files\nodejs\node.EXE
  npm: 11.3.0 - C:\Program Files\nodejs\npm.CMD
  pnpm: 10.8.1 - ~\AppData\Roaming\npm\pnpm.CMD
Browsers:
  Edge: Chromium (131.0.2903.146)
  Internet Explorer: 11.0.26100.1882

Severity

annoyance

Additional Information

{
  "actions": [
    {
      "action": "review",
      "module": "cookie",
      "resolves": [
        {
          "id": 1099846,
          "path": ".>@sveltejs/kit>cookie",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "1099846": {
      "findings": [
        {
          "version": "0.6.0",
          "paths": [
            ".>@sveltejs/kit>cookie"
          ]
        }
      ],
      "found_by": null,
      "deleted": null,
      "references": "- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
      "created": "2024-10-04T20:31:00.000Z",
      "id": 1099846,
      "npm_advisory_id": null,
      "overview": "### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167",
      "reported_by": null,
      "title": "cookie accepts cookie name, path, and domain with out of bounds characters",
      "metadata": null,
      "cves": [
        "CVE-2024-47764"
      ],
      "access": "public",
      "severity": "low",
      "module_name": "cookie",
      "vulnerable_versions": "<0.7.0",
      "github_advisory_id": "GHSA-pxg6-pf52-xh8x",
      "recommendation": "Upgrade to version 0.7.0 or later",
      "patched_versions": ">=0.7.0",
      "updated": "2024-10-04T20:31:01.000Z",
      "cvss": {
        "score": 0,
        "vectorString": null
      },
      "cwe": [
        "CWE-74"
      ],
      "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 1,
      "moderate": 0,
      "high": 0,
      "critical": 0
    },
    "dependencies": 528,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 528
  }
}

[Conduitry]

Duplicate of several other issues - https://github.com/sveltejs/kit/issues?q=is%3Aissue%20cookie%20vulnerability - There's a pending PR for this: #13386