{"api_version":"1","generated_at":"2026-04-23T00:58:30+00:00","cve":"CVE-2016-1000232","urls":{"html":"https://cve.report/CVE-2016-1000232","api":"https://cve.report/api/cve/CVE-2016-1000232.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-1000232","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000232"},"summary":{"title":"CVE-2016-1000232","description":"NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-09-05 17:29:00","updated_at":"2018-10-31 15:02:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2016:2101","name":"RHSA-2016:2101","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae","name":"https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Merge pull request #68 from SalesforceEng/fix-too-many-semicolons · salesforce/tough-cookie@6156272 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/","name":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"IBM Security Bulletin: IBM API Connect is affected by Node.js tough-cookie module vulnerability to a denial of service (CVE-2016-1000232) - IBM PSIRT Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:2912","name":"RHSA-2017:2912","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534","name":"https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Reduce parse time for many semicolons. · salesforce/tough-cookie@e4fc2e0 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/cve-2016-1000232","name":"https://access.redhat.com/security/cve/cve-2016-1000232","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"CVE-2016-1000232 - Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.npmjs.com/advisories/130","name":"https://www.npmjs.com/advisories/130","refsource":"MISC","tags":["Third Party Advisory"],"title":"Overview","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-1000232","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000232","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"api_connect","cpe6":"5.0.8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"api_connect","cpe6":"5.0.8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"5.0.6.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"api_connect","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"5.0.7.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"api_connect","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1000232","vulnerable":"1","versionEndIncluding":"2.2.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"salesforce","cpe5":"tough-cookie","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2016-1000232","qid":"982194","title":"Nodejs (npm) Security Update for tough-cookie (GHSA-qhv9-728r-6jqg)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","DATE_ASSIGNED":"2018-09-03T16:07:16.985208","DATE_REQUESTED":"1016-10-28T00:00:00","ID":"CVE-2016-1000232","REQUESTER":"kurt@seifried.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"RHSA-2016:2101","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2016:2101"},{"name":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/","refsource":"CONFIRM","url":"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/"},{"name":"RHSA-2017:2912","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:2912"},{"name":"https://www.npmjs.com/advisories/130","refsource":"MISC","url":"https://www.npmjs.com/advisories/130"},{"name":"https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae","refsource":"CONFIRM","url":"https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae"},{"name":"https://access.redhat.com/security/cve/cve-2016-1000232","refsource":"CONFIRM","url":"https://access.redhat.com/security/cve/cve-2016-1000232"},{"name":"https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534","refsource":"CONFIRM","url":"https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534"}]}},"nvd":{"publishedDate":"2018-09-05 17:29:00","lastModifiedDate":"2018-10-31 15:02:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*","versionStartIncluding":"0.9.7","versionEndIncluding":"2.2.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:api_connect:5.0.8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.7.0","versionEndIncluding":"5.0.7.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openshift_container_platform:3.3:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openshift_container_platform:3.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.6.0","versionEndIncluding":"5.0.6.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"1000232","Ordinal":"94909","Title":"CVE-2016-1000232","CVE":"CVE-2016-1000232","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"1000232","Ordinal":"1","NoteData":"NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"1000232","Ordinal":"2","NoteData":"2018-09-05","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"1000232","Ordinal":"3","NoteData":"2018-09-06","Type":"Other","Title":"Modified"}]}}}