Malicious Package

Affecting getcookies package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

getcookies contains a malicious backdoor.

The backdoor works by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor:

  • resetting the code buffer.
  • executing code located in the buffer by calling vm.runInThisContext, providing module.exports, required, req, res, and next as arguments.
  • loading remote code in to memory for execution.

These control codes allowed for an attacker to input arbitrary code into a running server and execute it.

The list of packages and their scripts are:

express-cookies
getcookies
http-fetch-cookies

Remediation

Avoid usage of this package altogether.

References

CVSS Score

9.8
critical severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
Credit
Unknown
CWE
CWE-506
Snyk ID
npm:getcookies:20180502
Disclosed
02 May, 2018
Published
03 May, 2018