Malicious Package Affecting express-cookies package, versions *


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:express-cookies:20180502
  • published 3 May 2018
  • disclosed 2 May 2018
  • credit Unknown

Introduced: 2 May 2018

Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab

How to fix?

Avoid usage of this package altogether.

Overview

express-cookies contains a malicious backdoor.

The backdoor works by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor:

  • resetting the code buffer.
  • executing code located in the buffer by calling vm.runInThisContext, providing module.exports, required, req, res, and next as arguments.
  • loading remote code in to memory for execution.

These control codes allowed for an attacker to input arbitrary code into a running server and execute it.

The list of packages and their scripts are:

express-cookies
getcookies
http-fetch-cookies

References