<p>Upgrade <code>rails-session-decoder</code> to version 1.1.0 or higher.</p>

Information Exposure Affecting rails-session-decoder package, versions <1.1.0

Snyk CVSS

Attack Complexity High

Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-RAILSSESSIONDECODER-73497
published 10 Jan 2019
disclosed 8 Jan 2019
credit Alex Hill

Report a new vulnerability Found a mistake?

Introduced: 8 Jan 2019

CWE-200 Open this link in a new tab

How to fix?

Upgrade rails-session-decoder to version 1.1.0 or higher.

Overview

rails-session-decoder is a simple utility for decoding Rails 4.x sessions in node.js

Affected versions of this package are vulnerable to Information Exposure. Missing verification of the Message Authentication Code appended to the cookies may lead to decryption of cipher text thus exposing encrypted information.

References

GitHub Commit
NPM Security Advisory