Impact
The js‑cookie library prior to v3.0.7 copies object properties with a for…in loop, which triggers the Object.prototype.__proto__ setter when a parsed JSON object contains an "__proto__" property. This hijacks the per‑instance prototype, causing the merged options object to inherit attacker‑controlled keys. When the set() function later enumerates this object, the attacker‑supplied keys appear in the Set‑Cookie header as cookie attributes, allowing injection of domain, secure, samesite, expires, and path values. This default is an instance of object prototype pollution (CWE‑1321) and relates to improper input handling that can lead to unauthorized modification of internal state (CWE-915), enabling cookie attribute manipulation.
Affected Systems
The vulnerability affects the js‑cookie JavaScript API and RedHat Service Mesh version 3.3 on EL9. Any application using js‑cookie prior to version 3.0.7 is susceptible; the impacted vendor is js‑cookie:js‑cookie.
Risk and Exploitability
The CVSS score is 7.5, indicating a high severity risk. An EPSS score of <1% indicates a very low yet non‑zero exploitation probability, and the issue is not listed in the KEV catalog. The attack vector is client‑side JavaScript; an attacker can influence cookie setting by delivering a crafted JSON object to the victim’s browser, making the flaw exploitable in any context where untrusted JSON is parsed into assign(). Given the high severity and the ease of exploitation through normal user interactions, the risk of abuse is significant.
OpenCVE Enrichment
Github GHSA