Upstream information

CVE-2026-46625 at MITRE

Description

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for...in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail CNA (0b0ca135-0b70-47e7-9f44-1890c2a1c46c) CNA (GitHub)
Base Score 7.5 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact None None
Integrity Impact High High
Availability Impact None None
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1269632 [NEW]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Thu Jun 11 02:01:06 2026
CVE page last modified: Tue Jun 30 13:04:09 2026