Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable version of tough-cookie in use (2.5.0) CVE-2023-26136 #31

Closed
ffengGP opened this issue Jul 3, 2023 · 5 comments · Fixed by #32
Closed

Vulnerable version of tough-cookie in use (2.5.0) CVE-2023-26136 #31

ffengGP opened this issue Jul 3, 2023 · 5 comments · Fixed by #32
Labels
released

Comments

@ffengGP
Copy link

ffengGP commented Jul 3, 2023
edited
Loading

Summary

The version of tough-cookie package in use is 2.5.0, which is old version and is vulnerable to CVE-2023-26136

This should be updated to 4.1.3 (or higher). The main cypress release should then also be updated to include this new release of request.

https://www.cve.org/CVERecord?id=CVE-2023-26136

Package:
https://github.com/cypress-io/request/blob/master/package.json

Simplest Example to Reproduce

https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

Possible Solution

https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
@thaddmt thaddmt mentioned this issue Jul 8, 2023
Merged
5 tasks
@alfaproject
Copy link

Just got our pipelines stalled by this as well ):

This was referenced Jul 10, 2023
Merged
Closed
@MikeMcC399
Copy link

MikeMcC399 commented Jul 14, 2023
edited
Loading

Apparently issues here do not get triaged.

@dstapleton92
Copy link

This is holding up our pipelines as well. Just a heads up that the module in question is tough-cookie, not touch-cookie.

@jeffsays
Copy link

bump - any chance this gets fixed soon @tgriesser?

@cypress-app-bot
Copy link

🎉 This issue has been resolved in version 2.88.12 🎉

The release is available on:

Your semantic-release bot 📦🚀

@ffengGP ffengGP changed the title Vulnerable version of touch-cookie in use (2.5.0) CVE-2023-26136 Vulnerable version of tough-cookie in use (2.5.0) CVE-2023-26136 Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

security: update tough-cookie dependency to 4.1.3 BreakBB/request
6 participants
@alfaproject @dstapleton92 @jeffsays @MikeMcC399 @ffengGP @cypress-app-bot