{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/js-cookie--3.0.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["js-cookie (\u003c= 3.0.5)"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","javascript","cookie","CVE-2026-46625"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003ejs-cookie\u003c/code\u003e library, versions 3.0.5 and earlier, contains a prototype pollution vulnerability (CVE-2026-46625) within its internal \u003ccode\u003eassign()\u003c/code\u003e function. This function copies properties from source objects to a target object using \u003ccode\u003efor...in\u003c/code\u003e loops and plain assignment. When processing a source object derived from JSON (e.g., via \u003ccode\u003eJSON.parse\u003c/code\u003e), the \u003ccode\u003e__proto__\u003c/code\u003e member becomes an own enumerable property. The \u003ccode\u003eassign\u003c/code\u003e function iterates over this property and inadvertently triggers the \u003ccode\u003eObject.prototype.__proto__\u003c/code\u003e setter. This results in a per-instance prototype pollution where attacker-controlled keys are inherited by the merged \u003ccode\u003eattributes\u003c/code\u003e object, allowing modification of cookie attributes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a JSON payload containing a \u003ccode\u003e__proto__\u003c/code\u003e property with malicious cookie attributes (e.g., domain, secure, samesite, expires, path).\u003c/li\u003e\n\u003cli\u003eThe application fetches configuration data from a backend endpoint, parsing the JSON response using \u003ccode\u003eJSON.parse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe parsed JSON data, containing the attacker\u0026rsquo;s payload, is passed as the \u003ccode\u003eattributes\u003c/code\u003e argument to \u003ccode\u003eCookies.set()\u003c/code\u003e, \u003ccode\u003eCookies.remove()\u003c/code\u003e, \u003ccode\u003eCookies.withAttributes()\u003c/code\u003e, or \u003ccode\u003eCookies.withConverter()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eassign()\u003c/code\u003e function within \u003ccode\u003ejs-cookie\u003c/code\u003e iterates over the attacker-controlled \u003ccode\u003e__proto__\u003c/code\u003e property in the source object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etarget[key] = source[key]\u003c/code\u003e assignment triggers the \u003ccode\u003eObject.prototype.__proto__\u003c/code\u003e setter on the target object.\u003c/li\u003e\n\u003cli\u003eThe attacker-provided cookie attributes are added to the prototype of the merged attributes object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eset()\u003c/code\u003e function enumerates the merged object and includes the attacker-injected attributes in the \u003ccode\u003eSet-Cookie\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe browser receives the \u003ccode\u003eSet-Cookie\u003c/code\u003e header with the attacker-controlled attributes, potentially leading to session hijacking or other security issues.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApplications that use \u003ccode\u003ejs-cookie\u003c/code\u003e and forward JSON-derived objects as the \u003ccode\u003eattributes\u003c/code\u003e argument to \u003ccode\u003eCookies.set\u003c/code\u003e, \u003ccode\u003eCookies.remove\u003c/code\u003e, \u003ccode\u003eCookies.withAttributes\u003c/code\u003e, or \u003ccode\u003eCookies.withConverter\u003c/code\u003e are vulnerable. This pattern is common when cookie configurations are loaded from backend APIs. Successful exploitation allows attackers to control cookie attributes like \u003ccode\u003edomain\u003c/code\u003e, \u003ccode\u003esecure\u003c/code\u003e, and \u003ccode\u003esamesite\u003c/code\u003e, potentially leading to cross-site scripting (XSS) or session fixation attacks. A sample payload \u003ccode\u003e{\u0026quot;__proto__\u0026quot;:{\u0026quot;domain\u0026quot;:\u0026quot;evil.example\u0026quot;,\u0026quot;secure\u0026quot;:\u0026quot;false\u0026quot;,\u0026quot;samesite\u0026quot;:\u0026quot;None\u0026quot;}}\u003c/code\u003e results in cookies being set for the attacker\u0026rsquo;s domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003ejs-cookie\u003c/code\u003e that addresses the prototype pollution vulnerability.\u003c/li\u003e\n\u003cli\u003eApply the patch suggested in the advisory to \u003ccode\u003esrc/assign.mjs\u003c/code\u003e to prevent the \u003ccode\u003e__proto__\u003c/code\u003e property from being processed.\u003c/li\u003e\n\u003cli\u003eImplement input validation to sanitize or reject JSON payloads containing the \u003ccode\u003e__proto__\u003c/code\u003e property before they are used as cookie attributes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Prototype Pollution via JSON \u003cstrong\u003eproto\u003c/strong\u003e Attribute in js-cookie\u0026rdquo; to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and audit existing code that uses \u003ccode\u003ejs-cookie\u003c/code\u003e to ensure that JSON-derived objects are not directly passed as cookie attributes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T21:21:39Z","date_published":"2026-05-21T21:21:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-js-cookie-prototype-pollution/","summary":"The js-cookie library is vulnerable to prototype pollution via the `assign()` function when processing JSON-derived objects, enabling an attacker to inject arbitrary cookie attributes by manipulating the `__proto__` property, as demonstrated by CVE-2026-46625.","title":"js-cookie Prototype Pollution via __proto__ Attribute Injection (CVE-2026-46625)","url":"https://feed.craftedsignal.io/briefs/2026-05-js-cookie-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — Js-Cookie (\u003c= 3.0.5)","version":"https://jsonfeed.org/version/1.1"}