CVE-2024-47764 Overview
CVE-2024-47764 is an input validation vulnerability in the cookie library, a widely-used HTTP cookie parser and serializer for Node.js HTTP servers. The vulnerability allows attackers to manipulate cookie names to set arbitrary values in other cookie fields, effectively enabling injection of unexpected cookie data. Similar escape sequences can be exploited in the path and domain parameters, allowing malicious actors to alter additional cookie fields and potentially bypass security controls.
Critical Impact
Attackers can manipulate cookie attributes by injecting special characters into cookie names, potentially leading to session manipulation, security bypass, or cross-site attacks through altered cookie behavior.
Affected Products
- jshttp/cookie versions prior to 0.7.0
- Node.js applications using the vulnerable cookie library
- HTTP servers relying on jshttp/cookie for cookie parsing and serialization
Discovery Timeline
- 2024-10-04 - CVE CVE-2024-47764 published to NVD
- 2024-10-07 - Last updated in NVD database
Technical Details for CVE-2024-47764
Vulnerability Analysis
This vulnerability stems from improper input validation in the cookie parsing library. The root issue lies in the overly permissive regular expression used to validate cookie names. The original implementation used a fieldContentRegExp pattern based on RFC 7230 section 3.2, which allowed a broader range of characters than what RFC 6265 specifies for cookie names.
When a cookie name contains special characters that should be restricted (such as semicolons, equals signs, or control characters), the parser fails to properly reject or sanitize them. This allows an attacker to craft a malicious cookie name that, when processed, effectively injects additional cookie attributes or values into the resulting cookie string.
The attack is particularly concerning because cookies are fundamental to web security mechanisms including session management, CSRF protection, and authentication state. By manipulating cookie fields through injection, attackers may be able to hijack sessions, bypass same-site restrictions, or perform other security-relevant modifications.
Root Cause
The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The original regular expression /^[\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+$/ was based on the field-content definition from RFC 7230, which is too permissive for cookie name validation. Cookie names should strictly follow the token definition from RFC 6265, which specifies a narrower set of allowed characters (!#$%&'*+-.^_|~` plus digits and letters).
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Submitting HTTP requests with specially crafted cookie names containing injection characters
- The vulnerable library processes these names without proper validation
- The malicious content escapes from the cookie name field into other cookie attributes
- The server processes or reflects the manipulated cookie data, leading to unintended behavior
var __toString = Object.prototype.toString
/**
- * RegExp to match field-content in RFC 7230 sec 3.2
+ * RegExp to match cookie-name in RFC 6265 sec 4.1.1
+ * This refers out to the obsoleted definition of token in RFC 2616 sec 2.2
+ * which has been replaced by the token definition in RFC 7230 appendix B.
*
- * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
- * field-vchar = VCHAR / obs-text
- * obs-text = %x80-FF
+ * cookie-name = token
+ * token = 1*tchar
+ * tchar = "!" / "#" / "$" / "%" / "&" / "'" /
+ * "*" / "+" / "-" / "." / "^" / "_" /
+ * "`" / "|" / "~" / DIGIT / ALPHA
*/
-var fieldContentRegExp = /^[\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+$/;
+var cookieNameRegExp = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
+
+/**
+ * RegExp to match cookie-value in RFC 6265 sec 4.1.1
+ *
+ * cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
+ * cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+ * ; US-ASCII characters excluding CTLs,
+ * ; whitespace DQUOTE, comma, semicolon,
+ * ; and backslash
+ */
Source: GitHub Commit e10042845354fea83bd8f34af72475eed1dadf5c
Detection Methods for CVE-2024-47764
Indicators of Compromise
- Unusual characters in cookie names within HTTP request/response headers (semicolons, equals signs, control characters)
- Cookie values appearing in unexpected fields or with unexpected attributes
- Multiple cookie attributes set where only one was expected
- Anomalous session behavior or unexpected authentication state changes
Detection Strategies
- Implement web application firewall (WAF) rules to detect cookie header manipulation with special characters
- Monitor application logs for cookie parsing errors or unexpected cookie attribute combinations
- Use SentinelOne Singularity to detect anomalous application behavior associated with session manipulation
- Deploy SAST/DAST tools to identify usage of vulnerable cookie library versions in applications
Monitoring Recommendations
- Enable verbose logging for cookie handling in web servers and reverse proxies
- Monitor npm audit alerts and dependency vulnerability scanners for cookie package versions below 0.7.0
- Set up alerts for unusual patterns in Set-Cookie response headers
- Track changes to session cookies and authentication tokens for signs of manipulation
How to Mitigate CVE-2024-47764
Immediate Actions Required
- Upgrade the cookie package to version 0.7.0 or later immediately
- Audit applications for usage of the jshttp/cookie library and identify all affected deployments
- Review application logs for any evidence of attempted exploitation
- Implement input validation on cookie names at the application layer as a defense-in-depth measure
Patch Information
The vulnerability has been fixed in cookie version 0.7.0. The fix narrows the validation for cookie name, path, and domain attributes to strictly match RFC 6265 specifications. The updated implementation replaces the permissive fieldContentRegExp with a stricter cookieNameRegExp pattern that only allows characters defined in the token specification. For detailed technical information, refer to the GitHub Security Advisory GHSA-pxg6-pf52-xh8x and the pull request discussion.
Workarounds
- If immediate upgrade is not possible, implement server-side validation to reject cookie names containing characters outside the RFC 6265 token specification
- Use a WAF or reverse proxy to filter incoming requests with malformed cookie headers
- Apply input sanitization at the application boundary before cookie values are processed
- Consider using an alternative cookie parsing library that enforces strict RFC compliance
# Configuration example
# Update cookie package to patched version
npm update cookie@0.7.0
# Verify the installed version
npm list cookie
# Run security audit to check for remaining vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
