CVE-2023-26136

Name of the Vulnerable Software and Affected Versions tough-cookie versions prior to 4.1.3

Description The issue arises from improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode, leading to Prototype Pollution. This vulnerability is related to insufficient control over the modification of dynamically defined object characteristics, which can allow a remote attacker to execute arbitrary JavaScript code.

Recommendations For versions prior to 4.1.3, update to version 4.1.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of CookieJar in rejectPublicSuffixes=false mode until a patch is available. Restrict access to the CookieJar module to minimize the risk of exploitation. Avoid using the rejectPublicSuffixes parameter in the affected CookieJar mode until the issue is resolved.