JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
CVE-2026-46625

7.5HIGH

Key Information:

Vendor

Js-cookie

Status
Js-cookie
Vendor
CVE Published:
10 June 2026

What is CVE-2026-46625?

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.proto setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

Affected Version(s)

js-cookie < 3.0.7

References

https://github.com/js-cookie/js-cookie/security/advisorie...
x_refsource_CONFIRM
https://github.com/js-cookie/js-cookie/commit/eb3c40e8973...
x_refsource_MISC
https://github.com/js-cookie/js-cookie/releases/tag/v3.0.7
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.