CVE-2023-26136
Prototype Pollution vulnerability in tough-cookie (npm)

Prototype Pollution Proof of concept Fixable By Resolved Security

What is CVE-2023-26136 About?

This is a Prototype Pollution vulnerability in 'tough-cookie' before version 4.1.3, caused by improper handling of Cookies when `rejectPublicSuffixes=false`. This issue arises from how objects are initialized, allowing attackers to inject arbitrary properties into JavaScript object prototypes. Exploitation is moderately complex, requiring an understanding of cookie handling and object initialization within the library.

Affected Software

tough-cookie <4.1.3

Technical Details

The vulnerability in 'tough-cookie' versions prior to 4.1.3 is a Prototype Pollution issue that occurs specifically when the CookieJar is configured with rejectPublicSuffixes=false. This setting alters how cookies are processed and can expose a flaw in object initialization. An attacker can craft a malicious cookie string that, when processed by 'tough-cookie', manipulates the __proto__ property of base JavaScript objects. This allows the attacker to inject arbitrary properties or modify existing ones into essentially any JavaScript object prototype, thereby affecting all objects derived from that prototype. This can lead to various outcomes including arbitrary property injection, leading to denial of service, security feature bypass, or even remote code execution depending on the application's subsequent usage of affected objects.

What is the Impact of CVE-2023-26136?

Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, potentially leading to denial of service, security feature bypasses, or even remote code execution.

What is the Exploitability of CVE-2023-26136?

Exploitation of this Prototype Pollution vulnerability requires crafting a malicious cookie string that leverages improper object initialization. The complexity is moderate, necessitating a detailed understanding of 'tough-cookie's internal cookie parsing and object creation mechanisms, especially when rejectPublicSuffixes=false. No specific authentication or elevated privileges are generally required, as long as an attacker can set or influence cookies processed by the application. This is typically a remote vulnerability, as cookies are sent over HTTP/HTTPS. The primary condition for exploitation is the use of the vulnerable 'tough-cookie' versions with rejectPublicSuffixes=false, increasing the likelihood of successful attacks in web applications relying on this specific cookie configuration.

What are the Known Public Exploits?

PoC Author Link Commentary
CUCUMBERanOrSNCompany Link Researching on the vulnrability CVE-2023-26136
guy2610 Link PoC for CVE-2023-26136
ronmadar Link Fix open source package uses tough-cookie 2.5.0 - CVE-2023-26136,

What are the Available Fixes for CVE-2023-26136?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch ensures all critical internal objects used to store cookies are created with null prototypes using Object.create(null), preventing prototype pollution attacks that exploit JavaScript's default object prototype inheritance. By doing so, it fixes CVE-2023-26136, which allowed attackers to set cookies for domains like __proto__ and manipulate or overwrite standard object properties, potentially leading to security issues such as unauthorized access or application crashes.

Available Upgrade Options

  • tough-cookie
    • <4.1.3 → Upgrade to 4.1.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-26136?

Similar Vulnerabilities: CVE-2022-24348 , CVE-2021-23566 , CVE-2020-28281 , CVE-2020-7798 , CVE-2019-10767

All Rights reserved 2025
Privacy Policy