CVE-2023-26136: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

July 1, 2023 (updated November 7, 2023)

Versions of the package tough-cookie before 4.1.3 is vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

References

github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
github.com/salesforce/tough-cookie/issues/282
github.com/salesforce/tough-cookie/releases/tag/v4.1.3
nvd.nist.gov/vuln/detail/CVE-2023-26136
security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

Code Behaviors & Features

Detect and mitigate CVE-2023-26136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →