CVE-2026-46625 - Vulnerability Details

Description

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

Published: 2026-06-10

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The js‑cookie library prior to v3.0.7 copies object properties with a for…in loop, which triggers the Object.prototype.__proto__ setter when a parsed JSON object contains an "__proto__" property. This hijacks the per‑instance prototype, causing the merged options object to inherit attacker‑controlled keys. When the set() function later enumerates this object, the attacker‑supplied keys appear in the Set‑Cookie header as cookie attributes, allowing injection of domain, secure, samesite, expires, and path values. This default is an instance of object prototype pollution (CWE‑1321) and enables unauthorized manipulation of cookie attributes.

Affected Systems

The vulnerability affects the js‑cookie JavaScript API. Any application using js‑cookie prior to version 3.0.7 is susceptible; the impacted vendor is js‑cookie:js‑cookie.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity risk. No EPSS score is available and the issue is not listed in the KEV catalog. The attack vector is client‑side JavaScript; an attacker can influence cookie setting by delivering a crafted JSON object to the victim’s browser, making the flaw exploitable in any context where untrusted JSON is parsed into assign(). Given the high severity and the ease of exploitation through normal user interactions, the risk of abuse is significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

js-cookie

affected

Version	Status	Constraints
`< 3.0.7`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade js‑cookie to version 3.0.7 or later, which removes the prototype hijack flaw.
Audit application code to ensure that calls to assign() or set() do not receive unchecked JSON or objects containing an "__proto__" property.
Implement defensive cookie handling by explicitly setting domain, secure, sameSite, expires, and path attributes, or use a validated wrapper that rejects unexpected attributes.

Generated by OpenCVE AI on June 10, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-qjx8-664m-686j	JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020
https://github.com/js-cookie/js-cookie/releases/tag/v3.0.7
https://github.com/js-cookie/js-cookie/security/advisories/GHSA-qjx8-664m-686j

History

Wed, 10 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.
Title		JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
Weaknesses		CWE-1321
References		https://github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020 https://github.com/js-cookie/js-cookie/releases/tag/v3.0.7 https://github.com/js-cookie/js-cookie/security/advisories/GHSA-qjx8-664m-686j
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`