Moderate severityNVD Advisory· Published Jul 1, 2023· Updated Aug 27, 2025
CVE-2023-26136
CVE-2023-26136
Description
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tough-cookienpm | < 4.1.3 | 4.1.3 |
Affected products
3- tough-cookie/tough-cookiedescription
- osv-coords2 versions
< 14.21.3-r1+ 1 more
- (no CPE)range: < 14.21.3-r1
- (no CPE)range: < 4.1.3
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-72xf-g2v4-qvf3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26136ghsaADVISORY
- github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6eghsaWEB
- github.com/salesforce/tough-cookie/issues/282ghsaWEB
- github.com/salesforce/tough-cookie/releases/tag/v4.1.3ghsaWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00010.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006ghsaWEB
- security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/mitre
- security.netapp.com/advisory/ntap-20240621-0006/mitre
News mentions
0No linked articles in our index yet.