CVE-2026-46625
Received Received - Intake
Prototype Pollution in js-cookie Library

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-46625
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
js-cookie js-cookie to 3.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the js-cookie JavaScript API prior to version 3.0.7. The issue arises because the internal assign() helper copies properties using a for...in loop combined with plain assignment. When the source object is created by JSON.parse, it includes an own enumerable "__proto__" property. This causes the for...in loop to enumerate "__proto__", triggering the Object.prototype.__proto__ setter on the target object. As a result, the target object's prototype is hijacked on a per-instance basis, meaning the merged attributes object inherits attacker-controlled keys without modifying Object.prototype itself.

Because the set() function later enumerates this merged object, every key placed by the attacker on the polluted prototype is included in the resulting Set-Cookie string as an attribute pair. This allows an attacker to set cookie attributes such as domain=, secure=, samesite=, expires=, and path= on cookies that the developer intended to be locked down.

This vulnerability has been fixed in version 3.0.7 of js-cookie.

Impact Analysis

This vulnerability can allow an attacker to manipulate cookie attributes that developers believed were secure and immutable. By hijacking the prototype of the attributes object, an attacker can inject arbitrary cookie attributes such as domain, secure, samesite, expires, and path.

This manipulation can lead to security issues such as unauthorized cookie sharing across domains, bypassing secure cookie flags, or altering cookie expiration, potentially enabling session hijacking, cross-site request forgery (CSRF), or other attacks that rely on cookie integrity.

Mitigation Strategies

To mitigate this vulnerability, upgrade the js-cookie library to version 3.0.7 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46625. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart