PatchSiren cyber security CVE debrief
CVE-2026-46625 js-cookie CVE debrief
CVE-2026-46625 is a high-severity vulnerability in the JavaScript Cookie API, which allows attackers to hijack cookie attributes. The vulnerability exists in versions prior to 3.0.7 of the js-cookie library. An attacker can exploit this vulnerability by manipulating the prototype of the merged attributes object, allowing them to set arbitrary attributes on cookies, including domain, secure, samesite, expires, and path.
- Vendor
- js-cookie
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Developers using the JavaScript Cookie API, especially those who handle sensitive data or authentication tokens in cookies, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability arises from the internal assign() helper in js-cookie, which copies properties using for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's '__proto__' member is an own enumerable property, allowing an attacker to hijack the prototype of the merged attributes object.
Defensive priority
High
Recommended defensive actions
- Update to version 3.0.7 or later of the js-cookie library.
- Review and validate cookie attributes to prevent arbitrary modifications.
Evidence notes
CVE-2026-46625 has a CVSS score of 7.5 and is classified as HIGH severity.
Official resources
CVE-2026-46625 was published on 2026-06-10T22:16:59.613Z and modified on 2026-06-11T17:16:34.250Z.