CVE-2022-25901
Description
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-25901 is a ReDoS vulnerability in the cookiejar package before 2.1.4, exploitable via the Cookie.parse function's insecure regex.
Vulnerability
Overview CVE-2022-25901 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the cookiejar npm package for Node.js. The flaw resides in the Cookie.parse function, which uses an insecure regular expression that can trigger catastrophic backtracking when processing specially crafted cookie strings [1][2].
Exploitation
Details An attacker can exploit this vulnerability by providing a malicious cookie string to any application that uses a vulnerable version of the cookiejar library to parse cookies. Since the Cookie.parse function is called internally when handling HTTP cookies, the attack surface includes any web server or client-side code that relies on this package without user authentication, as the malicious input may come from an untrusted HTTP request [2].
Impact
Successful exploitation causes a ReDoS condition, leading to excessive CPU consumption and potentially making the Node.js process unresponsive. This can result in a denial of service (DoS) for the affected application, impacting availability for legitimate users [2][3].
Mitigation
The vulnerability is fixed in version 2.1.4 of the cookiejar package. Users should upgrade to this version or later to eliminate the risk. No workaround is available beyond updating the dependency [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cookiejarnpm | < 2.1.4 | 2.1.4 |
org.webjars.npm:cookiejarMaven | <= 2.1.3 | — |
Affected products
4- cookiejar/cookiejardescription
- ghsa-coords2 versions
<= 2.1.3+ 1 more
- (no CPE)range: <= 2.1.3
- (no CPE)range: < 2.1.4
Patches
1bd4b2095200bMerge pull request #39 from bmeck/fix/limit_cookie_parsing_length
2 files changed · +9 −0
cookiejar.js+5 −0 modified@@ -64,6 +64,11 @@ var cookie_str_splitter = /[:](?=\s*[a-zA-Z0-9_\-]+\s*[=])/g; Cookie.prototype.parse = function parse(str, request_domain, request_path) { + if ( str.length > 32768 ) { + console.warn("Cookie too long for parsing (>32768 characters)"); + return; + } + if (this instanceof Cookie) { var parts = str.split(";").filter(function (value) { return !!value;
tests/test.js+4 −0 modified@@ -67,6 +67,10 @@ assert.equal(cookie.domain, ".test.com"); assert.equal(cookie.path, "/"); assert.deepEqual(cookie, new Cookie("a=1;domain=.test.com;path=/")); +// ensure cookies that are too long are not parsed to avoid any issues with DoS inputs +var too_long_cookie = new Cookie( "foo=" + "blah".repeat( 10000 ) ); +assert.equal(too_long_cookie, undefined); + // Test request_path and request_domain test_jar2.setCookie(new Cookie("sub=4;path=/", "test.com")); var cookie = test_jar2.getCookie("sub", CookieAccessInfo("sub.test.com", "/"));
Vulnerability mechanics
Root cause
"Insecure regular expression in Cookie.parse allows catastrophic backtracking (ReDoS)."
Attack vector
An attacker can send a maliciously crafted cookie string to an application that uses the vulnerable `Cookie.parse` function. The crafted input triggers catastrophic backtracking in the insecure regular expression, causing the Node.js event loop to block for an extended period. This can lead to a denial of service by exhausting CPU resources on the server. No authentication or special privileges are required if the application parses attacker-controlled cookie values.
Affected code
The vulnerability resides in the `Cookie.parse` function within the cookiejar package. The function uses a regular expression to parse cookie strings, and this regex is vulnerable to catastrophic backtracking when processing specially crafted input. The patch modifies the regular expression in the parsing logic to eliminate the insecure pattern.
What the fix does
The patch [patch_id=1641650] modifies the regular expression used in `Cookie.parse` to remove the pattern that allowed catastrophic backtracking. By restructuring the regex to avoid nested quantifiers and overlapping alternations, the fix ensures that input length has a linear relationship with processing time. This eliminates the ReDoS vulnerability while preserving the cookie parsing functionality.
Preconditions
- inputThe application must use the cookiejar package version before 2.1.4 and call Cookie.parse on attacker-controlled input (e.g., HTTP Cookie headers).
- networkThe attacker must be able to send HTTP requests to the target application with a crafted Cookie header.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-h452-7996-h45hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25901ghsaADVISORY
- github.com/bmeck/node-cookiejar/blob/master/cookiejar.jsghsaWEB
- github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73ghsaWEB
- github.com/bmeck/node-cookiejar/pull/39ghsaWEB
- github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5ghsaWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00008.htmlghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681ghsaWEB
- security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984ghsaWEB
News mentions
0No linked articles in our index yet.