cookie-signature dependency has timing vulnerability #3583

drewjenkins · 2018-03-06T16:07:09Z

To resolve, upgrade the cookie-parser dependency to 1.1.0 or above

dougwilson · 2018-03-06T16:24:32Z

We cannot upgrade because Node.js 6 is required to upgrade.

dougwilson · 2018-03-06T16:26:09Z

See discussion and my rejected PR in tj/node-cookie-signature#25

dougwilson · 2018-03-06T16:27:03Z

The author of cookie-signature asserts that Snyk is wrong and prior versions are not vulunerable. We are kinda stuck...

dougwilson · 2018-03-06T16:32:45Z

I created tj/node-cookie-signature#27 to determine more from that upstream dependency.

Security issues need to be reported per our policy in https://github.com/expressjs/express/blob/master/Security.md in the future.

dougwilson · 2018-03-06T16:58:27Z

FYI the author of cookie-signature is looking to contact Snyk to remove the incorrect report: tj/node-cookie-signature#27 (comment)

dougwilson · 2018-03-15T02:44:09Z

The Snyk report was incorrect and has been removed.

dougwilson mentioned this issue Mar 6, 2018

Use the tsscmp module for older Node.js compatibility tj/node-cookie-signature#25

Closed

dougwilson closed this as completed Mar 6, 2018

expressjs locked and limited conversation to collaborators Mar 6, 2018

Provide feedback