## CVE-2024-47764: Medium Flaw in Widely-Used Node.js Cookie Library Enables Field Manipulation
A medium-severity vulnerability (CVE-2024-47764) has been identified in cookie-0.1.3.tgz, a foundational HTTP cookie parsing and serialization library used across the Node.js ecosystem. The flaw allows cookie names to be exploited to set arbitrary fields within cookie objects, enabling unexpected value injection. Attackers could leverage similar escape techniques for path and domain attributes to alter additional cookie fields, the security advisory warns.

The vulnerable library sits deep within the dependency chain of cookie-parser-1.3.5.tgz, which itself is a widely deployed web middleware package. The issue affects the library located at /node_modules/cookie/package.json in affected projects. The core problem lies in insufficient validation during cookie name parsing, where maliciously crafted input could trigger unintended field assignment.

The vulnerability raises risk of manipulation attacks that could affect applications relying on cookie-based session management, access control, or state tracking. Depending on implementation patterns, exploitation could potentially lead to session hijacking, unauthorized resource access, or user redirection. The actual severity remains context-dependent, as the attack surface hinges on how individual applications process and trust cookie field values. Organizations using the affected library should monitor the official jshttp/cookie security advisory for upgrade guidance and apply patches as they become available.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2024-47764, cookie-0.1.3, Node.js, npm, HTTP header injection
- **Credibility**: unverified
- **Published**: 2026-04-30 11:54:11
- **ID**: 78585
- **URL**: https://whisperx.ai/en/intel/78585