## CVE-2024-47764: Medium-Severity Cookie Parsing Flaw Exposes Node.js Servers to Manipulation A newly disclosed vulnerability in a foundational Node.js library opens a subtle but exploitable path for attackers to manipulate cookie data on web servers. CVE-2024-47764, rated with medium severity, targets the widely used `cookie` library, a core component for parsing and serializing HTTP cookies. The flaw allows a maliciously crafted cookie name to be used to set other fields within the cookie object, leading to unexpected and potentially harmful values being processed by the server. This manipulation could be extended to other fields like path and domain, creating a vector for session hijacking or other integrity attacks. The vulnerability resides specifically in version 0.1.3 of the `cookie` package, which is a direct dependency of the popular `cookie-parser` middleware (version 1.3.5). This dependency chain means countless Node.js and Express.js applications that rely on `cookie-parser` for handling session data are potentially exposed. The issue stems from improper input sanitization, where special characters in a cookie's name are not correctly escaped, allowing them to bleed into and corrupt adjacent fields during the parsing phase. While the immediate risk is rated as medium, the pervasiveness of the affected library amplifies its significance. The flaw does not require a complex attack chain; a simple crafted HTTP request could trigger it. Developers are urged to upgrade the `cookie` dependency to version 0.1.4 or later, which contains the necessary patches. For projects locked into the vulnerable `cookie-parser@1.3.5`, the fix involves manually updating the nested `cookie` dependency. This vulnerability underscores the persistent risks hidden within deep, often overlooked, dependency trees of modern software ecosystems. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2024-47764, Node.js, npm, Web Security, Dependency Vulnerability - **Credibility**: unverified - **Published**: 2026-03-31 06:27:21 - **ID**: 42524 - **URL**: https://whisperx.ai/en/intel/42524