session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon expressjs

express-session vulnerability since it is still using a very old cookie-signature version

Open andiclone opened this issue 1 year ago • 1 comments

Vulnerability

express-session, even in the latest v1.18.0, is still using cookie-signature v1.0.7 which is over a year old and it has a 'sha1' vulnerability: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/

Problem

In my project I have this reported since over 5 months ago with the latest change in this package, but still no newer version has come out to fix this vulnerability

Solution

Upgrade the dependency on cookie-signature to a newer version, ideally 1.2.1 where it changes the old sha1 standard to a much more secure and updated sha256

Notes

This is my first time posting an issue here so if I'm missing something please let me know :)

andiclone avatar Jun 20 '24 17:06 andiclone

i created a fix, I will create a pr

lucianidev avatar Jul 12 '24 09:07 lucianidev