CVE-2023-26136 in tough-cookie

[Sher-Chowdhury]

Description/Steps to reproduce

Found the following CVE for tough-cookie:

CVE-2023-26136 (severity: Medium)

$ npm list tough-cookie
strong-soap@3.5.5
└─┬ request@2.88.2
  └── tough-cookie@2.5.0

Additional info in salesforce/tough-cookie#282

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Link to reproduction sandbox

Expected result

Additional information

[NewEraCracker]

Some magic bits for package.json as a workaround:

  "overrides": {
    "request": "npm:@cypress/request@^3.0.1",
    "tough-cookie": "^4.1.3"
  },

My two cents, and hoping it helps.

[toddtarsi]

PR implementing a fix is here:

#701

[achrinza]

Closed by #701