HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46625Published Modified CNA GitHub_M

CVE-2026-46625: JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a prototype hijack vulnerability in js-cookie, a widely used client-side JavaScript library for reading and writing browser cookies. An attacker who can influence cookie-related input processed by JSON.parse can manipulate the attributes of any cookie the application sets, including domain, secure, samesite, expires, and path, without needing authentication or user interaction. Successful exploitation allows an attacker to inject or override cookie attributes, undermining cookie security boundaries and enabling follow-on attacks such as session fixation or cookie theft across subdomains. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images and build pipelines containing js-cookie, including custom-built images that bundle the library directly.

Available
Triage

HarborGuard scores this finding at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy, then routes alerts to the appropriate team inbox within the customer org.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle; the moment a patched release of js-cookie appears upstream, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers malicious input over the network to any endpoint that passes JSON-parsed data into js-cookie's assign() helper.

  • AuthenticationNot required

    No credentials are needed; the attacker only needs to supply a crafted JSON payload containing a __proto__ key.

  • Victim interactionNot required

    Exploitation does not require any action from a user or developer; it occurs entirely during server- or client-side processing of the malicious input.

  • Attack complexityDetail

    The exploit is reliable and condition-free: any JSON object with a __proto__ own enumerable property triggers the prototype setter on the target object without requiring timing tricks or environmental preconditions.

Blast Radius

  • Attacker-controlled values appear as cookie attributes in the resulting Set-Cookie string, overriding domain, secure, samesite, expires, and path settings the developer intended to lock down.
  • Overriding the domain attribute can extend a cookie's scope to sibling subdomains, making the cookie readable by attacker-controlled or compromised endpoints.
  • Stripping or downgrading the secure attribute causes the browser to transmit the cookie over plain HTTP, exposing its value to network interception.
  • Manipulating samesite or path attributes weakens cross-site request forgery protections and broadens the set of requests that carry the affected cookie.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-46625 is active across all customer environments and surfaces any image containing a vulnerable version of js-cookie (< 3.0.7). Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 3.0.7 or later is published. In the interim, teams can reduce exposure by applying network-policy controls that restrict which services can influence the JSON payloads reaching cookie-handling code, enforcing strict input validation to reject objects containing __proto__ keys before they reach js-cookie, and reviewing whether any cookie-attribute configuration currently relies on user-supplied or externally sourced JSON objects. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and pull request against affected workloads will be generated immediately once an upstream fix is available.

See how HarborGuard automates this
Affected packages
  • js-cookie / js-cookie
    < 3.0.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References