Prototype Pollution Vulnerability in Tough-Cookie Package by Salesforce
CVE-2023-26136
Key Information:
- Vendor
- Salesforce
- Status
- Tough-cookie
- Vendor
- CVE Published:
- 1 July 2023
Badges
Summary
The Tough-Cookie package, specifically versions prior to 4.1.3, contains a vulnerability that allows for Prototype Pollution through improper cookie handling when using CookieJar in rejectPublicSuffixes=false mode. This issue stems from a flaw in the initialization of objects, which could potentially lead to attackers manipulating prototype properties, resulting in unexpected behavior in the application. Users are advised to upgrade to version 4.1.3 or later to mitigate this risk.
Affected Version(s)
tough-cookie 0 < 4.1.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved