Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID npm:getcookies:20180502
- published 3 May 2018
- disclosed 2 May 2018
- credit Unknown
Introduced: 2 May 2018Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab
How to fix?
Avoid usage of this package altogether.
getcookies contains a malicious backdoor.
The backdoor works by parsing the user-supplied HTTP
request.headers, looking for specifically formatted data that provides three different commands to the backdoor:
- resetting the code buffer.
- executing code located in the buffer by calling
- loading remote code in to memory for execution.
These control codes allowed for an attacker to input arbitrary code into a running server and execute it.
The list of packages and their scripts are: