← All CVEs

CVE-2026-46625

HIGH 7.5

Published 2026-06-10 · Last modified 2026-06-30

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

ELEVATED IMPACT

Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.4%chance of exploitation in 30 days · 34th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.5CVSS 3.1 · HIGH

  • ConfidentialityNone
  • IntegrityHigh
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Js Cookie Red Hat

Products Js Cookie Red Hat Openshift Service Mesh 3.3 Cryostat 4 Openshift Lightspeed Red Hat 3scale Api Management Platform 2 Red Hat Advanced Cluster Security 4 Red Hat Developer Hub Red Hat Jboss Enterprise Application Platform 7

Weakness (CWE)

  • CWE-1321
  • CWE-915

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Sources: NVD · CVE.org · EPSS