greprules.io
Sign inSubmit rule
Explore/cve-2024-28195-missing-samesite-on-express-cookie

CVE-2024-28195: Missing Samesite On Express Cookie

A cookie is set via `res.cookie` without specifying the `sameSite` attribute. Without `sameSite` correctly configured to 'lax' or 'strict', the cookie will be sent in third-party contexts, exposing the application to Cross-Site Request Forgery (CSRF). Always supply an options object configuring `{ sameSite: 'lax' }` or stricter, along with 'httpOnly' where a

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0javascript
greprules fetch cve-2024-28195-missing-samesite-on-express-cookie --engine opengrep

Description

A cookie is set via `res.cookie` without specifying the `sameSite` attribute. Without `sameSite` correctly configured to 'lax' or 'strict', the cookie will be sent in third-party contexts, exposing the application to Cross-Site Request Forgery (CSRF). Always supply an options object configuring `{ sameSite: 'lax' }` or stricter, along with 'httpOnly' where a

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
120 downloads0 direct120 via packs
· 0 stars · Trust score 65How trust works
Included packs
3 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata