CVE-2026-46625
Description
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
js-cookienpm | < 3.0.7 | 3.0.7 |
Affected products
32- osv-coords31 versionspkg:apk/chainguard/drupal-11.3pkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguardedpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/redisinsightpkg:apk/chainguard/safpkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-fipspkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/safpkg:npm/js-cookie
< 11.3.13-r3+ 30 more
- (no CPE)range: < 11.3.13-r3
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.19.16-r2
- (no CPE)range: < 8.19.16-r2
- (no CPE)range: < 8.19.16-r2
- (no CPE)range: < 9.0.8-r30
- (no CPE)range: < 9.0.8-r30
- (no CPE)range: < 9.0.8-r30
- (no CPE)range: < 9.1.10-r19
- (no CPE)range: < 9.1.10-r19
- (no CPE)range: < 9.2.8-r7
- (no CPE)range: < 9.2.8-r7
- (no CPE)range: < 9.3.5-r2
- (no CPE)range: < 9.3.5-r2
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 2.95.12-r25
- (no CPE)range: < 2.95.12-r27
- (no CPE)range: < 2.19.5-r12
- (no CPE)range: < 2.19.5-r12
- (no CPE)range: < 3.6.0-r6
- (no CPE)range: < 3.6.0-r8
- (no CPE)range: < 3.4.2-r3
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 4.14.5-r1
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 3.6.0-r6
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 3.0.7
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-qjx8-664m-686jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-46625ghsaADVISORY
- github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020nvdWEB
- github.com/js-cookie/js-cookie/releases/tag/v3.0.7nvdWEB
- github.com/js-cookie/js-cookie/security/advisories/GHSA-qjx8-664m-686jnvdWEB
News mentions
0No linked articles in our index yet.