Miggo Logo
Miggo Vulnerability Database
CVE-2023-26136

CVE-2023-26136: tough-cookie Prototype Pollution vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26136
GHSA ID
GHSA-72xf-g2v4-qvf3
EPSS Score
0.89439%
CWE
CWE-1321
Published
7/1/2023
Updated
6/21/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tough-cookienpm< 4.1.34.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using object literals ({}) instead of Object.create(null) for the cookie store index (idx). When operating in rejectPublicSuffixes=false mode, attackers could set cookies with proto in domain/path fields, polluting the Object prototype. The commit 12d4747 explicitly replaces all {} initializations in memstore.js with Object.create(null) to prevent prototype inheritance, confirming these functions' involvement. The added test case in cookie_jar_test.js demonstrates the exploit scenario targeting these object initialization patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** tou**-*ooki* ***or* *.*.* *r* vuln*r**l* to Prototyp* Pollution *u* to improp*r **n*lin* o* *ooki*s w**n usin* *ooki*J*r in `r*j**tPu*li*Su**ix*s=**ls*` mo**. T*is issu* *ris*s *rom t** m*nn*r in w*i** t** o*j**ts *r* initi*li

Reasoning

T** vuln*r**ility st*ms *rom usin* o*j**t lit*r*ls ({}) inst*** o* O*j**t.*r**t*(null) *or t** *ooki* stor* in**x (i*x). W**n op*r*tin* in r*j**tPu*li*Su**ix*s=**ls* mo**, *tt**k*rs *oul* s*t *ooki*s wit* __proto__ in *om*in/p*t* *i*l*s, pollutin* t*