libjs-jquery-cookie: patch CVE-2026-46625

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-46625

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi
2026-06-13 20:18:16 +12:00
committed by Anuj Mittal
parent 24a11f288c
commit 06e68d3d60
2 changed files with 66 additions and 1 deletions
@@ -0,0 +1,63 @@
From 808905ea1bb4582bcfd681ba1bb8a1c1d1113b40 Mon Sep 17 00:00:00 2001
From: Klaus Hartl <klaus.hartl@gmail.com>
Date: Fri, 15 May 2026 11:23:44 +0200
Subject: [PATCH] Prevent cookie attribute injection
Given that we are using a `for ... in` loop for assembling a cookie's
attributes required for writing/removing, we are vulnerable to prototype
pollution, where an attacker might attempt to add/overwrite certain
attributes and with that broadening access or wiping out a cookie
altogether.
Such malicious attributes input could most likely come from an object
parsed from a JSON string; for example looking like
'{"__proto__":{"samesite":"None"}}'.
Note that at the moment we're tied to using this kind of for-loop for
compatibility with IE 10 + 11.
(cherry picked from commit eb3c40e89731e99b8970faaf35ddad249c6c0020)
CVE: CVE-2026-46625
Upstream-Status: Backport [https://github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/assign.mjs | 1 +
test/tests.js | 12 ++++++++++++
2 files changed, 13 insertions(+)
diff --git a/src/assign.mjs b/src/assign.mjs
index 2934ff3..a0e55f1 100644
--- a/src/assign.mjs
+++ b/src/assign.mjs
@@ -3,6 +3,7 @@ export default function (target) {
for (var i = 1; i < arguments.length; i++) {
var source = arguments[i]
for (var key in source) {
+ if (key === '__proto__') continue
target[key] = source[key]
}
}
diff --git a/test/tests.js b/test/tests.js
index da65d74..c3ab54e 100644
--- a/test/tests.js
+++ b/test/tests.js
@@ -489,6 +489,18 @@ QUnit.test(
}
)
+QUnit.test(
+ 'sanitization of attributes to prevent prototype pollution from untrusted input',
+ function (assert) {
+ var untrusted = JSON.parse('{"__proto__":{"foo":"bar"}}')
+ assert.strictEqual(
+ Cookies.set('c', 'v', untrusted),
+ 'c=v; path=/',
+ 'should prevent attribute-injection via prototype pollution'
+ )
+ }
+)
+
QUnit.module('remove', lifecycle)
QUnit.test('deletion', function (assert) {
@@ -3,7 +3,9 @@ HOMEPAGE = "https://github.com/js-cookie/js-cookie"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e16cf0e247d84f8999bf55865a9c98cf"
SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main"
SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main \
file://CVE-2026-46625.patch \
"
SRCREV = "ab3f67fc4fad88cdf07b258c08e4164e06bf7506"