cve 2023 26136

About this tag
CVE-2023-26136 is a prototype pollution vulnerability in the tough-cookie Node.js library maintained by Salesforce. The flaw affects all versions before 4.1.3 when a CookieJar is created with the option rejectPublicSuffixes=false. Attackers can craft cookie domains like Domain=proto to leak or modify properties on JavaScript's object prototype. The stable fix was released in version 4.1.3. This tag covers discussions about the vulnerability, its impact, and remediation steps for developers using tough-cookie in Node.js applications.
  1. Tough Cookie Prototype Pollution CVE-2023-26136: Fix 4.1.3 and Remediation

    Salesforce’s widely used Node.js cookie library tough-cookie was found to contain a prototype pollution vulnerability (CVE‑2023‑26136) that affects every release before 4.1.3 when a CookieJar is created with the option rejectPublicSuffixes=false; the flaw allows specially crafted cookie domains...