Threat Advisory

js-cookie Vulnerability Hijacks Session Attribute Injection

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-46625 with a CVSS score of 7.5 is a JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection vulnerability in the npm/js-cookie package. The vulnerability arises from the internal assign() helper function, which copies properties with for...in + plain assignment, allowing an attacker to inject cookie attributes by manipulating the source object's proto member. An attacker can exploit this vulnerability by crafting a JSON-derived object as the attributes argument to Cookies.set, Cookies.remove, Cookies.withAttributes, or Cookies.withConverter, thus gaining the capability to set domain, secure, samesite, expires, and path attributes on cookies. If exploited, this vulnerability can lead to sensitive information disclosure and cookie manipulation, allowing an attacker to conduct malicious activities such as session hijacking or unauthorized access. Prerequisites for exploitation include the presence of the vulnerable package version and the ability to manipulate the attributes object, typically in a server-side application.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-46625 with a CVSS score of 7.5 is a JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection vulnerability in the npm/js-cookie package. The vulnerability arises from the internal assign() helper function, which copies properties with for...in + plain assignment, allowing an attacker to inject cookie attributes by manipulating the source object's proto member. An attacker can exploit this vulnerability by crafting a JSON-derived object as the attributes argument to Cookies.set, Cookies.remove, Cookies.withAttributes, or Cookies.withConverter, thus gaining the capability to set domain, secure, samesite, expires, and path attributes on cookies. If exploited, this vulnerability can lead to sensitive information disclosure and cookie manipulation, allowing an attacker to conduct malicious activities such as session hijacking or unauthorized access. Prerequisites for exploitation include the presence of the vulnerable package version and the ability to manipulate the attributes object, typically in a server-side application.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update js-cookie to version 3.0.7 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-qjx8-664m-686j

[/emaillocker]
crossmenu