Skip to content

Update dependency js-cookie to v3.0.7 [SECURITY]#1446

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-js-cookie-vulnerability
Open

Update dependency js-cookie to v3.0.7 [SECURITY]#1446
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-js-cookie-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
js-cookie 3.0.53.0.7 age confidence

JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

CVE-2026-46625 / GHSA-qjx8-664m-686j

More information

Details

Summary

js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys.

Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down.

Impact

Any application that forwards a JSON-derived object as the attributes argument to Cookies.set, Cookies.remove, Cookies.withAttributes, or Cookies.withConverter is vulnerable. This is the standard pattern when cookie configuration comes from a backend:

const cfg = await fetch('/config').then(r => r.json());
Cookies.set('session', token, cfg.cookieAttrs);   // cfg.cookieAttrs influenced by attacker

A payload of {"__proto__":{"domain":"evil.example","secure":"false","samesite":"None"}} causes js-cookie to emit:

Set-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None
Affected code
// src/assign.mjs — full file
export default function (target) {
  for (var i = 1; i < arguments.length; i++) {
    var source = arguments[i]
    for (var key in source) {                 // includes own enumerable '__proto__'
      target[key] = source[key]                // [[Set]] form - fires __proto__ setter
    }
  }
  return target
}
Proof of concept

Node 22.11.0, no third-party deps:

Environment setup
mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc
npm init -y
npm i js-cookie
PoC
ubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs
let lastSetCookie = '';
globalThis.document = {
  get cookie() { return ''; },
  set cookie(v) { lastSetCookie = v; }
};

const { default: Cookies } = await import('js-cookie');

const attackerAttrs = JSON.parse(
  '{"__proto__":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}'
);

Cookies.set('session', 'TOKEN', attackerAttrs);

console.log('Set-Cookie that js-cookie wrote to document.cookie:');
console.log(lastSetCookie);

Execution:
cls-2026-05-14-01 44 39

Suggested patch
--- a/src/assign.mjs
+++ b/src/assign.mjs
@&#8203;@&#8203;
 export default function (target) {
   for (var i = 1; i < arguments.length; i++) {
     var source = arguments[i]
-    for (var key in source) {
-      target[key] = source[key]
-    }
+    for (var key in source) {
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue
+      Object.defineProperty(target, key, {
+        value: source[key],
+        writable: true,
+        enumerable: true,
+        configurable: true,
+      })
+    }
   }
   return target
 }

Equivalent one-liner alternative - iterate own names only and filter:

for (const key of Object.getOwnPropertyNames(source)) {
  if (key === '__proto__') continue
  target[key] = source[key]
}

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

js-cookie/js-cookie (js-cookie)

v3.0.7

Compare Source

  • Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
  • Add Partitioned attribute to readme (b994768)
  • Publish to npm registry via trusted publisher exclusively (4dc71be)
  • Ensure consistent behaviour for get('name') + get() (1953d30)

v3.0.6

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • "after 8pm and before 8am every weekday,every weekend"

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
warn: This version of pnpm requires at least Node.js v22.13
warn: The current version of Node.js is v20.20.2
warn: Visit https://r.pnpm.io/comp to see the list of past pnpm versions with respective Node.js version support.
node:internal/modules/cjs/loader:1031
      throw new ERR_UNKNOWN_BUILTIN_MODULE(request);
            ^

Error [ERR_UNKNOWN_BUILTIN_MODULE]: No such built-in module: node:sqlite
    at Module._load (node:internal/modules/cjs/loader:1031:13)
    at Module.require (node:internal/modules/cjs/loader:1289:19)
    at require (node:internal/modules/helpers:182:18)
    at ../store/index/lib/index.js (file:///opt/containerbase/tools/pnpm/11.10.0/20.20.2/node_modules/pnpm/dist/pnpm.mjs:56737:25)
    at __init (file:///opt/containerbase/tools/pnpm/11.10.0/20.20.2/node_modules/pnpm/dist/pnpm.mjs:17:58)
    at ../resolving/npm-resolver/lib/index.js (file:///opt/containerbase/tools/pnpm/11.10.0/20.20.2/node_modules/pnpm/dist/pnpm.mjs:67949:5)
    at __init (file:///opt/containerbase/tools/pnpm/11.10.0/20.20.2/node_modules/pnpm/dist/pnpm.mjs:17:58)
    at ../workspace/projects-graph/lib/index.js (file:///opt/containerbase/tools/pnpm/11.10.0/20.20.2/node_modules/pnpm/dist/pnpm.mjs:68087:5)
    at __init (file:///opt/containerbase/tools/pnpm/11.10.0/20.20.2/node_modules/pnpm/dist/pnpm.mjs:17:58)
    at ../workspace/projects-filter/lib/index.js (file:///opt/containerbase/tools/pnpm/11.10.0/20.20.2/node_modules/pnpm/dist/pnpm.mjs:75507:5) {
  code: 'ERR_UNKNOWN_BUILTIN_MODULE'
}

Node.js v20.20.2

@renovate renovate Bot force-pushed the renovate/npm-js-cookie-vulnerability branch 4 times, most recently from 92ef2c6 to 9d26f99 Compare May 27, 2026 09:02
@renovate renovate Bot force-pushed the renovate/npm-js-cookie-vulnerability branch 2 times, most recently from 85b7953 to 1fefcc4 Compare June 12, 2026 11:14
@renovate renovate Bot force-pushed the renovate/npm-js-cookie-vulnerability branch 4 times, most recently from 389765c to 821a421 Compare June 24, 2026 07:37
@renovate renovate Bot force-pushed the renovate/npm-js-cookie-vulnerability branch 2 times, most recently from 03db5c7 to 944fe77 Compare June 30, 2026 10:08
@renovate renovate Bot force-pushed the renovate/npm-js-cookie-vulnerability branch from 944fe77 to eb50843 Compare July 8, 2026 16:47

@marie-hermes-agent marie-hermes-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💬 MOA Review: COMMENT

Summary: Two reviewers approved the security update outright, and two reviewers raised the same minor concern about the absence of a lockfile change in the displayed diff. There were no conflicting substantive findings about the dependency bump itself, which appears correct and safe. Consolidating the feedback, this PR looks acceptable overall, with one medium-confidence advisory to verify the lockfile is updated if the repository uses one.

Issues Summary

🟡 1 warning(s) (see inline comments)


Mixture of Agents review — 4 models reviewed in parallel, aggregated by openai/gpt-5.4:

  • google/gemini-3.5-flash — approve, 0 issue(s), 1.8s, $0.0061
  • x-ai/grok-4.5 — comment, 0 issue(s), 0.0s, $0.0000
  • minimax/minimax-m3 — approve, 1 issue(s), 13.4s, $0.0021
  • moonshotai/kimi-k2.7-code — comment, 1 issue(s), 15.9s, $0.0055

Comment thread package.json
"classnames": "2.5.1",
"html-to-text": "9.0.5",
"js-cookie": "3.0.5",
"js-cookie": "3.0.7",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [WARNING] The diff shows only the package.json version bump for js-cookie to 3.0.7. If this project uses a lockfile, ensure the corresponding lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml) is also updated so installs actually resolve the patched version.

Confidence: 🟡 medium | Raised by: minimax/minimax-m3, moonshotai/kimi-k2.7-code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants