CVE-2026-46625

Name of the Vulnerable Software and Affected Versions js-cookie versions prior to 3.0.7

Description The internal assign() function copies properties using a for...in loop and plain assignment. When a source object is created via JSON.parse, the proto member is treated as an own enumerable property. This allows the target[key] = source[key] operation to trigger the Object.prototype. proto setter on the target object, resulting in a per-instance prototype hijack. Consequently, the set() function enumerates these polluted attributes, allowing an attacker to inject unauthorized attribute pairs such as domain=, secure=, samesite=, expires=, and path= into the resulting Set-Cookie string. This occurs when applications pass JSON-derived objects as the attributes argument to functions like set(), remove(), withAttributes(), or withConverter().

Recommendations Update to version 3.0.7. As a temporary workaround, avoid passing JSON-derived objects directly as the attributes argument to the set(), remove(), withAttributes(), or withConverter() functions.