static-web-apps-cli icon indicating copy to clipboard operation
static-web-apps-cli copied to clipboard
verified publisher icon Azure

fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764

Open keith-oak opened this issue 6 months ago • 0 comments

Summary

  • Updates the cookie package from ^0.5.0 to ^0.7.0 to fix CVE-2024-47764
  • This addresses the critical security vulnerability that allows injection of unexpected key-value pairs
  • Fixes #932

Details

This PR updates the cookie dependency to version 0.7.0 which includes proper validation to prevent malicious cookie values from injecting special properties like __proto__, constructor, or prototype into JavaScript objects.

The vulnerability (CVE-2024-47764) is rated as critical with a CVSS score of 9.1/10 and could allow attackers to perform prototype pollution attacks through specially crafted cookie values.

Changes Made

  • Updated cookie from ^0.5.0 to ^0.7.0 in package.json
  • Ran npm install to update package-lock.json accordingly

Testing

  • ✅ All unit tests pass (npm test)
  • ✅ Build completes successfully (npm run build)
  • ✅ No breaking changes - cookie 0.7.0 maintains backward compatibility

References

  • CVE-2024-47764: https://nvd.nist.gov/vuln/detail/CVE-2024-47764
  • Fixes #932: Vulnerable dependency cookie < 0.7.0
  • Cookie package changelog: https://github.com/jshttp/cookie/releases/tag/v0.7.0

keith-oak avatar Jun 24 '25 23:06 keith-oak