CVE-2022-25901 - Denial of Service (DoS)
Severity: Low2023-03-22
Abstract
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
The Oxygen products incorporate cookiejar as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback v2.1.4 and older | Low | Oxygen Feedback 3.0 build 2023031610 |
Detail
CVE-2022-25901
Severity: High
CVSS Score: 7.5
The cookiejar third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25901 vulnerability description. However, the Oxygen products does not use the Cookie.parse function. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Feedback v3.0 build 2023031610 cookiejar library was updated to v2.1.4 which fixes this vulnerability.