GCVE - cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*

part: a version: * update: *

Vendor	Salesforce (`cfdafdea-90cf-5590-ad24-239f205b7d02`)
Product	Tough Cookie (`ce8ef032-440a-550a-ae15-3e24c8c90907`)
Edition	*
Language	*
Software edition	*
Target software	node.js
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-26136`	vulnerable	2026-06-03 14:50:58.398112	Details available MEDIUM (6.5) Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. Published: 2023-07-01T05:00:01.115Z Updated: 2025-08-27T20:32:53.151Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873 https://github.com/salesforce/tough-cookie/issues/282 https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3 https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-15010`	vulnerable	2026-06-03 14:36:45.134301	Details available A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU. Published: 2017-10-03T16:00:00.000Z Updated: 2024-08-05T19:42:22.357Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2017:2913 https://nodesecurity.io/advisories/525 http://www.securityfocus.com/bid/101185 https://access.redhat.com/errata/RHSA-2018:1264 https://access.redhat.com/errata/RHSA-2017:2912	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2016-1000232`	vulnerable	2026-06-03 14:35:22.998461	Details available NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0. Published: 2018-09-05T17:00:00.000Z Updated: 2024-08-06T03:55:27.288Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2016:2101 https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/ https://access.redhat.com/errata/RHSA-2017:2912 https://www.npmjs.com/advisories/130 https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.