Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low – it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters…