VYPR
High severityNVD Advisory· Published Feb 1, 2022· Updated Aug 3, 2024

Unsafe handling of user-specified cookies in treq

CVE-2022-23607

Description

treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods (treq.get, treq.post, etc.) and treq.client.HTTPClient constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session. Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
treqPyPI
< 22.1.022.1.0

Affected products

5

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.