CVE-2022-25901 - Denial of Service (DoS)

Severity: Low2023-03-22

Security Advisories

Abstract

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

The Oxygen products incorporate cookiejar as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v2.1.4 and olderLow Oxygen Feedback 3.0 build 2023031610

Mitigation

None

Detail

CVE-2022-25901

Severity: High

CVSS Score: 7.5

The cookiejar third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25901 vulnerability description. However, the Oxygen products does not use the Cookie.parse function. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v3.0 build 2023031610 cookiejar library was updated to v2.1.4 which fixes this vulnerability.

List of Security Advisories