{"data":{"id":"5d597700-489d-4b46-ae03-fe77cd9765d3","title":"GHSA-5j35-xr4g-vwf4: @grackle-ai/server has a Missing Secure Flag on Session Cookie","summary":"The @grackle-ai/server software doesn't set the Secure flag on its session cookie (a flag that prevents the cookie from being sent over unencrypted connections). While this is safe for local use, enabling the `--allow-network` option exposes the cookie to interception over insecure connections, allowing attackers to steal session data.","solution":"Update to version 0.70.5. The fix conditionally adds the `; Secure` attribute to the cookie when the server uses HTTPS or when `--allow-network` is enabled, using this code: `const securePart = isHttps ? \"; Secure\" : \"\"; return \\`${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}\\`;`. As a temporary workaround, do not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy (a security intermediary that handles encrypted connections).","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-5j35-xr4g-vwf4","publishedAt":"2026-03-25T17:32:39.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"low","severity":"low","attackType":["other"],"issueType":"vulnerability","affectedPackages":["@grackle-ai/server@<= 0.70.4 (fixed: 0.70.5)"],"affectedVendors":[],"affectedVendorsRaw":["Grackle AI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-03-25T17:32:39.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}