CVE-2026-46625
Awaiting Analysis Awaiting Analysis - Queue

Prototype Pollution in js-cookie Library

Vulnerability report for CVE-2026-46625, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
js-cookie js-cookie to 3.0.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the js-cookie JavaScript API prior to version 3.0.7. The issue arises because the internal assign() helper copies properties using a for...in loop combined with plain assignment. When the source object is created by JSON.parse, it includes an own enumerable "__proto__" property. This causes the for...in loop to enumerate "__proto__", triggering the Object.prototype.__proto__ setter on the target object. As a result, the target object's prototype is hijacked on a per-instance basis, meaning the merged attributes object inherits attacker-controlled keys without modifying Object.prototype itself.

Because the set() function later enumerates this merged object, every key placed by the attacker on the polluted prototype is included in the resulting Set-Cookie string as an attribute pair. This allows an attacker to set cookie attributes such as domain=, secure=, samesite=, expires=, and path= on cookies that the developer intended to be locked down.

This vulnerability has been fixed in version 3.0.7 of js-cookie.

Impact Analysis

This vulnerability can allow an attacker to manipulate cookie attributes that developers believed were secure and immutable. By hijacking the prototype of the attributes object, an attacker can inject arbitrary cookie attributes such as domain, secure, samesite, expires, and path.

This manipulation can lead to security issues such as unauthorized cookie sharing across domains, bypassing secure cookie flags, or altering cookie expiration, potentially enabling session hijacking, cross-site request forgery (CSRF), or other attacks that rely on cookie integrity.

Mitigation Strategies

To mitigate this vulnerability, upgrade the js-cookie library to version 3.0.7 or later, where the issue has been patched.

Compliance Impact

This vulnerability allows an attacker to inject malicious cookie attributes such as domain, secure, samesite, expires, and path by exploiting prototype pollution in the js-cookie library. As a result, security settings intended to protect cookies can be overridden, potentially exposing sensitive user data or session information.

Such manipulation of cookie attributes can undermine data integrity and confidentiality, which are critical components of compliance with standards like GDPR and HIPAA. For example, improperly secured cookies could lead to unauthorized access or data leakage, violating privacy and security requirements mandated by these regulations.

Therefore, this vulnerability poses a risk to compliance by enabling attackers to bypass cookie security controls that help enforce data protection policies.

Detection Guidance

This vulnerability involves prototype pollution in the js-cookie library versions prior to 3.0.7, which allows attackers to inject malicious cookie attributes via JSON objects containing the __proto__ property.

To detect if your system or network is vulnerable, you should first identify if your application uses js-cookie versions 3.0.5 or earlier.

You can check the version of js-cookie in your project by inspecting your package.json or running the following command in your project directory:

  • npm list js-cookie

To detect exploitation attempts on your network, monitor HTTP traffic for suspicious Set-Cookie headers that contain unexpected or attacker-controlled attributes such as domain=evil.example, secure=false, samesite=None, or unusual expires or path values.

For example, using command-line tools like tcpdump or tshark to filter HTTP Set-Cookie headers:

  • tshark -Y 'http.set_cookie' -T fields -e http.set_cookie | grep -E 'domain=|secure=|samesite=|expires=|path='

Additionally, review your application logs or web server logs for any suspicious cookie attribute manipulations or unexpected cookie behavior.

Finally, ensure your js-cookie library is updated to version 3.0.7 or later, which includes a patch preventing this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46625. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart