Tough-cookie is a robust Node.js library implementing RFC6265 for Cookie handling and management, providing a comprehensive CookieJar for web applications and HTTP clients. Version 0.12.1 represents a minor update to the preceding stable version 0.12.0, offering developers subtle enhancements and potential bug fixes. Both share core functionality; they both rely on the punycode dependency and support the same development toolchain (vows and async for testing). Both versions are designed for developers who need reliable and spec-compliant cookie parsing and storage in their Node.js applications and are MIT licensed.
The key difference between versions 0.12.0 and 0.12.1 lies in the Git repository URL used for the project. Version 0.12.0 points to git://github.com/goinstant/node-cookie.git, while version 0.12.1 has been updated to git://github.com/goinstant/tough-cookie.git. This seemingly minor change likely reflects a repository move or renaming, potentially indicating ongoing maintenance and updates within the tough-cookie project. Developers should prefer 0.12.1 as it could contain critical fixes addressed after 0.12.0's release. The releases are separated by approximately 3 days, with 0.12.0 appearing on January 13th, 2014 and 0.12.1 a few days later.
All the vulnerabilities related to the version 0.12.1 of the package
ReDoS via long string of semicolons in tough-cookie
Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.
Update to version 2.3.0 or later.
Regular Expression Denial of Service in tough-cookie
Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.
Update to version 2.3.3 or later.
tough-cookie Prototype Pollution vulnerability
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
