csurf 1.9.0 Pulls Critical Transitive Vulnerability from cookie-0.3.1 — No Patch Available

The csurf middleware package, a widely adopted CSRF token library for Node.js applications, has been flagged for containing two security vulnerabilities in its dependency chain, including a critical-severity flaw scoring 9.8 on the CVSS scale. The root cause traces not to csurf itself but to the transitive dependency cookie-0.3.1.tgz, which introduces both the critical CVE-407329-481703 and a medium-severity flaw, CVE-2024-47764. Neither vulnerability has a known fix, and no remediation path is currently available through standard update channels.

CVE-407329-481703 carries a CVSS score of 9.8, placing it in the critical range. The flaw resides in HTTP server cookie parsing and serialization functions shipped via the cookie library. Security researchers classify the exploit maturity as undefined, and the EPSS (Exploit Prediction Scoring System) metric is unavailable. CVE-2024-47764 rates 5.3 (medium severity) with an EPSS below 1%, though exploit development status remains undefined. Both vulnerabilities propagate transitively, meaning any application depending on csurf inherits the risk without direct involvement of the vulnerable code in their own codebase.

The lack of a fixed version in cookie-0.3.1.tgz places immediate pressure on development teams using csurf in production environments. Applications relying on this middleware for CSRF token generation may be exposed to attack vectors not yet fully characterized. Security teams should monitor the Mend vulnerability database and the official npm registry for updates, evaluate compensating controls such as request validation layers, and assess whether alternative CSRF protection libraries offer safer dependency paths. The transitive nature of the flaw complicates remediation, as a fix would require an upstream update to the cookie package followed by a csurf release.