Bug 2487740 (CVE-2026-46625)
| Summary: | CVE-2026-46625 js-cookie: JavaScript Cookie: Cookie attribute manipulation via prototype pollution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, akostadi, alizardo, amasferr, amctagga, anpicker, anujha, aoconnor, asoldano, bbaranow, bdettelb, bmaxwell, bniver, bparees, brasmith, bstansbe, cmah, cochase, dlofthou, dmayorov, dranck, dschmidt, eaguilar, ebaron, erezende, flucifre, gmeno, groman, hasun, istudens, ivassile, iweiss, jchui, jfula, jhe, jkoehler, jlanda, jlledo, jolong, jowilson, jwong, kaycoth, kshier, ktsao, lchilton, lphiri, mbenjamin, mhackett, mhess, mosmerov, mstipich, msvehla, nboldt, nwallace, nyancey, oaljalju, omaciel, ometelka, pantinor, pesilva, pjindal, pmackay, psrna, ptisnovs, rexwhite, rhel-process-autobot, rstancel, sfeifer, simaishi, smcdonal, sostapov, stcannon, sthirugn, syedriko, teagle, thjenkin, tsedmik, ttakamiy, vdosoudi, vereddy, vle, vwilson, watson-tool-maintainers, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in JavaScript Cookie (js-cookie). This vulnerability allows a remote attacker to manipulate cookie attributes by exploiting a prototype pollution issue within the `assign()` helper function. When processing specially crafted JSON input, the flaw enables an attacker to hijack the prototype of a cookie's attribute object. This allows the attacker to set sensitive cookie attributes such as `domain`, `secure`, `samesite`, `expires`, and `path`, potentially leading to security bypasses or session manipulation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.