CVE-2016-1000232
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
ReDoS via long string of semicolons in tough-cookie
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | tough-cookie | <2.3.0 | 2.3.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000232
- https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae
- https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534
- https://access.redhat.com/errata/RHSA-2016:2101
- https://access.redhat.com/errata/RHSA-2017:2912
- https://access.redhat.com/security/cve/cve-2016-1000232
- https://github.com/advisories/GHSA-qhv9-728r-6jqg
- https://github.com/salesforce/tough-cookie
- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232
- https://www.npmjs.com/advisories/130
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.