MEDIUM · CVSS 6.5
CVE-2023-26136 — tough-cookie prototype pollution
A prototype-pollution vulnerability in tough-cookie — used inside every major HTTP client (axios, got, request) — could let malicious cookies pollute `Object.prototype`, changing application behavior downstream.
Affects
- tough-cookie < 4.1.3
What an attacker does
A backend HTTP call to an attacker-controlled URL returns a crafted Set-Cookie header. tough-cookie parses it; the cookie's properties write to `Object.prototype`. Every subsequent operation on any object sees the polluted properties. Depending on your app, this becomes anything from feature-flag poisoning to auth bypass.
How to detect
`npm ls tough-cookie`.
How to fix
Upgrade tough-cookie to 4.1.3+ (via axios 1.6.0+ / got 13.0.0+).
How Securie catches it
Securie checks every HTTP client for vulnerable tough-cookie transitively.