Bug 2487740 (CVE-2026-46625)

Summary: CVE-2026-46625 js-cookie: JavaScript Cookie: Cookie attribute manipulation via prototype pollution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, akostadi, alizardo, amasferr, amctagga, anpicker, anujha, aoconnor, asoldano, bbaranow, bdettelb, bmaxwell, bniver, bparees, brasmith, bstansbe, cmah, cochase, dlofthou, dmayorov, dranck, dschmidt, eaguilar, ebaron, erezende, flucifre, gmeno, groman, hasun, istudens, ivassile, iweiss, jchui, jfula, jhe, jkoehler, jlanda, jlledo, jolong, jowilson, jwong, kaycoth, kshier, ktsao, lchilton, lphiri, mbenjamin, mhackett, mhess, mosmerov, mstipich, msvehla, nboldt, nwallace, nyancey, oaljalju, omaciel, ometelka, pantinor, pesilva, pjindal, pmackay, psrna, ptisnovs, rexwhite, rhel-process-autobot, rstancel, sfeifer, simaishi, smcdonal, sostapov, stcannon, sthirugn, syedriko, teagle, thjenkin, tsedmik, ttakamiy, vdosoudi, vereddy, vle, vwilson, watson-tool-maintainers, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in JavaScript Cookie (js-cookie). This vulnerability allows a remote attacker to manipulate cookie attributes by exploiting a prototype pollution issue within the `assign()` helper function. When processing specially crafted JSON input, the flaw enables an attacker to hijack the prototype of a cookie's attribute object. This allows the attacker to set sensitive cookie attributes such as `domain`, `secure`, `samesite`, `expires`, and `path`, potentially leading to security bypasses or session manipulation.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-10 22:01:40 UTC
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.