CVE-2026-46625 JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property,...

CVE-2026-46625 JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property,...

JavaScript Cookie 安全漏洞

JavaScript Cookie is a lightweight JavaScript cookie operation library developed by js-cookie. Versions of JavaScript Cookie prior to 3.0.7 contained security vulnerabilities. These vulnerabilities stemmed from the use of the for...in loop and standard assignment methods to copy properties within...

NPM: JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

NPM: JavaScript Cookie: Per-instance prototype hijack in assign enables cookie-attribute injection vulnerability discovered by ? in WordPress Npm js-cookie versions = 3.0.5...

Prototype Pollution

ts-fns is vulnerable to Prototype Pollution. The vulnerability is due to insufficient validation of user-supplied keys in the assign function, which allows an attacker to modify the Object.prototype chain and inject arbitrary properties, potentially leading to application crashes, unexpected...

EUVD-2025-31070

Malicious code in bioql PyPI...

CVE-2025-57351

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...

Prototype Pollution

Overview ts-fns is a Public Functions. Affected versions of this package are vulnerable to Prototype Pollution via the assign function. An attacker can inject arbitrary properties into the global object's prototype by supplying crafted keys, which may result in application crashes, unexpected cod...

GHSA-G7WQ-WGGW-VMHG ts-fns has prototype pollution vulnerability

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...

ts-fns has prototype pollution vulnerability

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...

CVE-2025-57351

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...

CVE-2025-57351

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...

CVE-2025-57351

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...

PT-2025-39324

Name of the Vulnerable Software and Affected Versions ts-fns versions prior to 13.0.7 Description A prototype pollution issue exists due to inadequate validation of user-supplied keys within the assign function. This allows manipulation of the Object.prototype chain. Attackers can inject arbitrar...

CVE-2025-4727

A vulnerability was found in Meteor up to 3.2.1 and classified as problematic. This issue affects the function Object.assign of the file packages/ddp-server/livedataserver.js. The manipulation of the argument forwardedFor leads to inefficient regular expression complexity. The attack may be...

PT-2024-18905 · Uplot · Uplot

Name of the Vulnerable Software and Affected Versions: uplot versions prior to 1.6.31 Description: The issue is related to Prototype Pollution via the uplot.assign function due to a missing check if the attribute resolves to the object prototype. This allows for potential manipulation of the...

Prototype Pollution

che3vinci c3/utils-1 is vulnerable to Prototype Pollution. The vulnerability is due to missing checks in assign function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

c3 utils security vulnerability

c3 utils is an open source utility library by che3vinci. A security vulnerability exists in c3 utils version 1.0.131, which originates from the inclusion of prototype contamination via the function assign, allowing an attacker to execute arbitrary code or cause a denial of service DoS by injectin...

Assign Function Allows for any Other Unknown Contract Address to Assign existing token.

Lines of code Vulnerability details Impact Assign Function Allows for any Other Unknown Contract Address to Assign existing token. Proof of Concept There is no check at all to confirm that the previous token owner allows for the assignment of his tokenId. The assign function only checks the...

Existing tokens can be given to other contracts when assign function is called

Lines of code Vulnerability details Impact In the Turnstile contract when the assign function is called any unregistered contract can register himself as the feeRecipient for any given token id, but in reality only the token owner should be able to assign a new smart contract as feeRecipient for...