CVE Vulnerabilities

CVE-2026-46625

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Published: Jun 10, 2026 | Modified: Jun 30, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookies internal assign() helper copies properties with for…in + plain assignment. When the source object is produced by JSON.parse, the JSON objects proto member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.proto setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for…in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

Weakness

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Affected Software

NameVendorStart VersionEnd Version
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/kiali-ossmc-rhel9:1782231869*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/kiali-rhel9:1782201466*

Potential Mitigations

References