GHSA-5J35-XR4G-VWF4

Vulnerability from github – Published: 2026-03-25 17:32 – Updated: 2026-03-25 17:32
VLAI
Summary
@grackle-ai/server has a Missing Secure Flag on Session Cookie
Details

Impact

The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections.

Since the server binds to 127.0.0.1 by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when --allow-network is used to bind to 0.0.0.0, cookies could be transmitted over insecure network connections and intercepted by an attacker.

Affected code: - packages/server/src/session.ts:76 — cookie string lacks ; Secure attribute

Patches

0.70.5

Fix: Conditionally add ; Secure when served over HTTPS or when --allow-network is enabled:

const securePart = isHttps ? "; Secure" : "";
return `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;

Workarounds

Do not use --allow-network over untrusted networks without a TLS-terminating reverse proxy.

Resources

  • OWASP: Secure Cookie Attribute
  • File: packages/server/src/session.ts
Severity
2.3 (Low)
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.70.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@grackle-ai/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.70.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T17:32:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe session cookie is set with `HttpOnly; SameSite=Lax; Path=/` but does not include the `Secure` flag. This means the cookie will be sent over plain HTTP connections.\n\nSince the server binds to `127.0.0.1` by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when `--allow-network` is used to bind to `0.0.0.0`, cookies could be transmitted over insecure network connections and intercepted by an attacker.\n\n**Affected code:**\n- `packages/server/src/session.ts:76` \u2014 cookie string lacks `; Secure` attribute\n\n### Patches\n\n0.70.5\n\n**Fix:** Conditionally add `; Secure` when served over HTTPS or when `--allow-network` is enabled:\n```typescript\nconst securePart = isHttps ? \"; Secure\" : \"\";\nreturn `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;\n```\n\n### Workarounds\n\nDo not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy.\n\n### Resources\n\n- OWASP: Secure Cookie Attribute\n- File: `packages/server/src/session.ts`",
  "id": "GHSA-5j35-xr4g-vwf4",
  "modified": "2026-03-25T17:32:39Z",
  "published": "2026-03-25T17:32:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-5j35-xr4g-vwf4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nick-pape/grackle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@grackle-ai/server has a Missing Secure Flag on Session Cookie"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.