Malicious Package Affecting express-cookies package, versions *
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:express-cookies:20180502
- published 3 May 2018
- disclosed 2 May 2018
- credit Unknown
How to fix?
Avoid usage of this package altogether.
Overview
express-cookies
contains a malicious backdoor.
The backdoor works by parsing the user-supplied HTTP request.headers
, looking for specifically formatted data that provides three different commands to the backdoor:
- resetting the code buffer.
- executing code located in the buffer by calling
vm.runInThisContext
, providingmodule.exports
,required
,req
,res
, andnext
as arguments. - loading remote code in to memory for execution.
These control codes allowed for an attacker to input arbitrary code into a running server and execute it.
The list of packages and their scripts are:
express-cookies
getcookies
http-fetch-cookies