CVE-2023-26136 Impacting Open-Source NPM Product Tough-Cookie

At Salesforce, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take the protection of your data very seriously.
 

What happened?

On June 1, 2023, a security researcher discovered a JavaScript vulnerability affecting the Salesforce tough-cookie open-source NPM project. This vulnerability could allow a malicious actor to attach cookie data to a global namespace, resulting in cookies being exposed to individuals with access to your running code. 
 

What did Salesforce do to address this? 

On June 5, a fix was implemented and a release note, available here, was published to GitHub. On June 29, CVE-2023-26136 was issued to address this vulnerability with a CVSS score of 6.5.
 

How do I know if I am impacted?

To determine if you use the tough-cookie NPM package and are potentially affected by this vulnerability, take the following steps:

1. Verify whether tough-cookie is listed as a dependency in your project’s package.json file. 
2. If tough-cookie is listed as a dependency, validate whether you are using a CookieJar with option “rejectPublicSuffixes” set to false and option “store” either unset, or set to use a MemoryCookieStore. If you are not implementing these configuration options, you are not impacted by this vulnerability and do not need to take action. If you are implementing these configuration options, then cookies stored in this CookieJar may be accessible to unauthorized actors with access to your running code.
   1. NOTE: Cookies exposed due to this vulnerability are only accessible during the lifetime of the running application. Stopping or restarting the application will reset the CookieJar, removing all active connections to the global namespace.
3. If your site is implementing both of the configuration options above, follow these steps to identify potentially suspicious connections to your global namespace. 
   1. Connect to your running instance.
   2. Examine the global Object.prototype.
      1. Example: console.log(Object.prototype)
   3. Determine whether there are properties of Object.prototype that begin with “/”.
      1. Example: “/notauth”
   4. The values attached to those properties are objects, whose values are cookies.
      1. Example: {Slonser: Cookie="Slonser=polluted; Domain=__proto__; Path=/notauth; hostOnly=false; aAge=1ms; cAge=35443ms"}

If all of the above are not true, then your running instance has not been impacted by the vulnerability.
 

If I am impacted, what action should I take? 

If you determine that you are impacted by this vulnerability, to eliminate potential unauthorized access to your cookies, upgrade tough-cookie to version 4.1.3, available here. Alternatively, you could update your code to ensure all instances of CookieJar have rejectPublicSuffixes set to true, or use an alternative store to MemoryCookieStore.
 

What should I do if I have questions?