Cyber Resilience

CVE-2023-26136

MediumPublic PoC

Published: 01 July 2023

Published
01 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0625 91.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26136 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Salesforce Tough-Cookie. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Versions of the tough-cookie npm package before 4.1.3 are vulnerable to prototype pollution (CWE-1321) when a CookieJar is instantiated with rejectPublicSuffixes set to false. The flaw stems from unsafe object initialization during cookie handling, allowing attacker-controlled properties to pollute the prototype chain. The issue carries a CVSS 3.1 score of 6.5 with network attack vector, no required privileges or user interaction, and limited impacts on confidentiality and integrity.

An unauthenticated remote attacker can supply a crafted cookie that triggers the pollution when the vulnerable CookieJar configuration is used, enabling subsequent manipulation of application objects that inherit from the polluted prototype. This can lead to bypasses of security checks or unexpected behavior in any dependent code that relies on the affected cookie-parsing logic.

The referenced GitHub commit, release tag v4.1.3, and downstream advisories from Debian LTS and Fedora all direct users to upgrade to tough-cookie 4.1.3 or later to eliminate the unsafe initialization path. EPSS scores have remained low, with a current value of 0.0625 and a peak of only 0.0693.

EU & UK References

Vulnerability details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

salesforce
tough-cookie
≤ 4.1.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References