Debian Package Tracker
Register | Log in
Subscribe

node-js-cookie

Lightweight JavaScript cookie API

Choose email to subscribe with

general
  • source: node-js-cookie (main)
  • version: 3.0.7+~3.0.6-2
  • maintainer: Debian Javascript Maintainers (archive) (DMD)
  • uploaders: Daniel Ring [DMD]
  • arch: all
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.2.1-1
  • oldstable: 3.0.1+~3.0.0-3
  • stable: 3.0.1+~3.0.0-3
  • testing: 3.0.7+~3.0.6-2
  • unstable: 3.0.7+~3.0.6-2
versioned links
  • 2.2.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.0.1+~3.0.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.0.7+~3.0.6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • node-js-cookie
action needed
A new upstream version is available: 3.0.8+~3.0.6 high
A new upstream version 3.0.8+~3.0.6 is available, you should consider packaging it.
Created: 2026-05-31 Last update: 2026-07-03 13:32
1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:
  • CVE-2026-46625: JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.
Created: 2026-06-12 Last update: 2026-06-24 00:50
1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:
  • CVE-2026-46625: JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.
Created: 2026-06-12 Last update: 2026-06-24 00:50
1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:
  • CVE-2026-46625: (needs triaging) JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-12 Last update: 2026-06-24 00:50
news
[rss feed]
  • [2026-05-27] node-js-cookie 3.0.7+~3.0.6-2 MIGRATED to testing (Debian testing watch)
  • [2026-05-23] Accepted node-js-cookie 3.0.7+~3.0.6-2 (source) into unstable (Xavier Guimard)
  • [2026-05-18] Accepted node-js-cookie 3.0.7+~3.0.6-1 (source) into unstable (Xavier Guimard)
  • [2022-10-28] node-js-cookie 3.0.1+~3.0.0-3 MIGRATED to testing (Debian testing watch)
  • [2022-10-26] Accepted node-js-cookie 3.0.1+~3.0.0-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2021-11-09] node-js-cookie 3.0.1+~3.0.0-2 MIGRATED to testing (Debian testing watch)
  • [2021-11-06] Accepted node-js-cookie 3.0.1+~3.0.0-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2021-10-18] node-js-cookie 2.2.1-2 MIGRATED to testing (Debian testing watch)
  • [2021-10-15] Accepted node-js-cookie 3.0.1+~3.0.0-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
  • [2021-10-15] Accepted node-js-cookie 3.0.1-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
  • [2021-10-15] Accepted node-js-cookie 2.2.1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2019-11-29] node-js-cookie 2.2.1-1 MIGRATED to testing (Debian testing watch)
  • [2019-11-24] Accepted node-js-cookie 2.2.1-1 (source) into unstable (Xavier Guimard)
  • [2019-01-22] node-js-cookie 2.2.0-2 MIGRATED to testing (Debian testing watch)
  • [2019-01-19] Accepted node-js-cookie 2.2.0-2 (source) into unstable (Daniel Ring) (signed by: Xavier Guimard)
  • [2018-01-14] node-js-cookie 2.2.0-1 MIGRATED to testing (Debian testing watch)
  • [2018-01-04] Accepted node-js-cookie 2.2.0-1 (source all) into unstable, unstable (Daniel Ring) (signed by: Praveen Arimbrathodiyil)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.0.7+~3.0.6-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing