Description
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.
Published: 2026-06-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The js‑cookie library prior to v3.0.7 copies object properties with a for…in loop, which triggers the Object.prototype.__proto__ setter when a parsed JSON object contains an "__proto__" property. This hijacks the per‑instance prototype, causing the merged options object to inherit attacker‑controlled keys. When the set() function later enumerates this object, the attacker‑supplied keys appear in the Set‑Cookie header as cookie attributes, allowing injection of domain, secure, samesite, expires, and path values. This default is an instance of object prototype pollution (CWE‑1321) and relates to improper input handling that can lead to unauthorized modification of internal state (CWE-915), enabling cookie attribute manipulation.

Affected Systems

The vulnerability affects the js‑cookie JavaScript API and RedHat Service Mesh version 3.3 on EL9. Any application using js‑cookie prior to version 3.0.7 is susceptible; the impacted vendor is js‑cookie:js‑cookie.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity risk. An EPSS score of <1% indicates a very low yet non‑zero exploitation probability, and the issue is not listed in the KEV catalog. The attack vector is client‑side JavaScript; an attacker can influence cookie setting by delivering a crafted JSON object to the victim’s browser, making the flaw exploitable in any context where untrusted JSON is parsed into assign(). Given the high severity and the ease of exploitation through normal user interactions, the risk of abuse is significant.

Generated by OpenCVE AI on June 30, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade js‑cookie to version 3.0.7 or later, which removes the prototype hijack flaw.
  • Audit application code to ensure that calls to assign() or set() do not receive unchecked JSON or objects containing an "__proto__" property.
  • Implement defensive cookie handling by explicitly setting domain, secure, sameSite, expires, and path attributes, or use a validated wrapper that rejects unexpected attributes.

Generated by OpenCVE AI on June 30, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qjx8-664m-686j JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat service Mesh
Weaknesses CWE-915
CPEs cpe:/a:redhat:service_mesh:3.3::el9
Vendors & Products Redhat
Redhat service Mesh
References
Metrics threat_severity

None

threat_severity

Important


Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Js-cookie
Js-cookie js-cookie
Vendors & Products Js-cookie
Js-cookie js-cookie

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.
Title JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Js-cookie Js-cookie
Redhat Service Mesh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:03.353Z

Reserved: 2026-05-15T19:34:14.013Z

Link: CVE-2026-46625

cve-icon Vulnrichment

Updated: 2026-06-30T03:16:03.852Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T22:16:59.613

Modified: 2026-06-11T17:16:34.250

Link: CVE-2026-46625

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T21:18:05Z

Links: CVE-2026-46625 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:00:05Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes