CVE Catalog

CVE-2026-46625

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile - higher than 34% of all known CVEs

Summary

JavaScript Cookie (js-cookie) prior to version 3.0.7 has a prototype pollution vulnerability in the internal assign() helper. An attacker can inject arbitrary cookie attributes such as domain, secure, samesite, expires, or path, overriding developer-intended restrictions.

Risk Assessment

The risk includes potential session fixation, SameSite policy bypass, data leakage, or weakening of web application security due to attacker-controlled cookie attributes.

Recommendation

Upgrade js-cookie to version 3.0.7 or later immediately. If upgrading is not feasible, sanitize any input from JSON.parse before passing it to the library.

Original NVD description (English source)

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS