CVE-2023-26136

Aliases:GHSA-72xf-g2v4-qvf3

Advisory lineage Upstream: 0 Downstream: 8

Downstream

DEBIAN-CVE-2023-26136 DLA-3488-1 MGASA-2024-0080 MGASA-2025-0194 RHSA-2023:5484 RHSA-2023:5485

Modified

Published: 01 Jul 2023, 05:00

Last modified:27 Aug 2025, 20:32

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

6.25% LOW

6% probability -0.62%

KEV

Not listed

Ransomware

No reports

Public exploits

2 found

Dark Web

Not detected

Timeline

01 Jul 2023, 05:00

Published

Vulnerability first disclosed

27 Aug 2025, 20:32

Last Modified

Vulnerability information updated

Description

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P
v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 6.25%• Percentile: 91%

Techniques & Countermeasures

CWE-1321•Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Affected Systems

Npm•tough-cookie
< 4.1.3
salesforce•tough-cookie
< 4.1.3