Platform
nodejs
Component
tough-cookie
Fixed in
2.3.3
CVE-2017-15010 is a denial-of-service (DoS) vulnerability affecting the tough-cookie package. An attacker can trigger this vulnerability by sending specially crafted regular expressions that cause excessive resource consumption, leading to a denial of service. This vulnerability impacts versions of tough-cookie prior to 2.3.3. Updating to version 2.3.3 or later resolves this issue.
The primary impact of CVE-2017-15010 is a denial of service. An attacker can exploit this vulnerability to crash or significantly degrade the performance of applications using tough-cookie. While the amplification factor is relatively low (approximately 2 seconds to execute on a 50,000-character input), the impact can be significantly amplified if Node.js was compiled with the -DHTTPMAXHEADER_SIZE flag, as this removes the default HTTP header size limitation. This could allow an attacker to send much larger malicious inputs, overwhelming the server and causing a complete outage. This vulnerability shares characteristics with other regex-based DoS attacks, where carefully crafted input can trigger exponential backtracking in the regular expression engine.
CVE-2017-15010 was published on July 24, 2018. There is no indication that this vulnerability is actively exploited in the wild, nor is it currently listed on CISA KEV. Public proof-of-concept (POC) code is available, demonstrating the vulnerability's exploitability. The relatively low amplification factor might have limited its attractiveness to attackers, but the potential for amplification with specific Node.js configurations remains a concern.
Exploit Status
EPSS
3.94% (88% percentile)
CVSS Vector
The primary mitigation for CVE-2017-15010 is to upgrade to version 2.3.3 or later of the tough-cookie package. If upgrading is not immediately feasible, consider implementing input validation to sanitize regular expressions before passing them to tough-cookie. WAF rules can be configured to block requests containing unusually long or complex regular expressions. Monitoring CPU and memory usage on servers running applications using tough-cookie can help detect potential exploitation attempts. After upgrading, confirm the fix by attempting to process a known malicious regular expression and verifying that it does not cause a denial of service.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-15010 is a denial-of-service vulnerability in the tough-cookie package. Attackers can exploit it by sending malicious regular expressions, potentially causing application crashes or performance degradation.
You are affected if you are using a version of tough-cookie prior to 2.3.3. Check your installed version using npm list tough-cookie.
Upgrade to version 2.3.3 or later of the tough-cookie package. Implement input validation for regular expressions as a temporary workaround.
There is no current evidence of active exploitation in the wild, but public POC code exists.
Refer to the tough-cookie project's repository and related security advisories for more information: https://github.com/Mapbox/tough-cookie
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.