Sensitive Cookie in HTTPS Session Without "Secure" Attribute Affecting @grackle-ai/server package, versions <0.70.5
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Sensitive Cookie in HTTPS Session Without "Secure" Attribute vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-GRACKLEAISERVER-15840037
- published30 Mar 2026
- disclosed25 Mar 2026
- creditUnknown
Introduced: 25 Mar 2026
New CVE NOT AVAILABLE CWE-614 (opens in a new tab)How to fix?
Upgrade @grackle-ai/server to version 0.70.5 or higher.
Overview
@grackle-ai/server is a Grackle server orchestrator — spawns and wires core (gRPC), web-server (HTTP), MCP, and PowerLine
Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the session process. An attacker can intercept session cookies by capturing network traffic when the application is run with the --allow-network option over an untrusted network, as cookies may be transmitted without the Secure flag. This is only exploitable if the application is started with --allow-network and accessed over a non-localhost interface without a TLS-terminating reverse proxy.
Workaround
This vulnerability can be mitigated by not using the --allow-network option over untrusted networks unless a TLS-terminating reverse proxy is in place.