CVE-2022-23395 - Prototype Pollution and XSS in jQuery Cookie 1.4.1

CVE-2022-23395 is a serious security issue that affects the popular jQuery Cookie plugin version 1.4.1. This vulnerability is related to prototype pollution and can be exploited to perform DOM-based Cross-Site Scripting (XSS) attacks. Below, you’ll find a clear explanation, code snippets demonstrating the flaw, details on exploitation, and references for further reading.

What Is Prototype Pollution?

Prototype pollution is a kind of vulnerability where an attacker can modify the prototype (__proto__) of a base object in JavaScript. This can change the behavior of all objects in the application, often in dangerous ways.

For example

let obj = {};
obj.__proto__.x = 1;
console.log({}.x); // Outputs: 1

Any object now "inherits" x = 1 because we've polluted the prototype.

How jQuery Cookie 1.4.1 Is Vulnerable

jQuery Cookie is a plugin to read and write cookies in the browser with jQuery. In version 1.4.1, it parses cookie names and values into JavaScript objects but doesn't prevent users from writing or reading object properties like __proto__.

Here’s a simplified version of what goes wrong

// jQuery Cookie parses cookie data into an object
function parseCookie(cookieString) {
  var result = {};
  var pairs = cookieString.split('; ');
  pairs.forEach(function(pair) {
    var parts = pair.split('=');
    var key = decodeURIComponent(parts[]);
    var value = decodeURIComponent(parts[1] || '');
    result[key] = value; // <= No check for dangerous keys like "__proto__"
  });
  return result;
}

// Example with malicious cookie
document.cookie = '__proto__=polluted';
var cookiesObj = parseCookie(document.cookie);
console.log({}.polluted); // Outputs: "polluted"

The Problem

Because parseCookie assigns directly to the object with any key, an attacker can set a cookie named __proto__ and inject properties into all objects on the page.

Exploit: From Prototype Pollution to XSS

Once the attacker pollutes the prototype, next steps depend on how your site uses cookie data. If your code or a library later uses a polluted object (for example, to render HTML), it could cause an XSS vulnerability.

`js

// Code that renders cookie values in the DOM

document.body.innerHTML += userPref;

}

`

Now, userPref is attacker-controlled, and the malicious <img> tag is injected into the page, leading to XSS.

How To Mitigate

- Upgrade jQuery Cookie: Use js-cookie instead, which is actively maintained and doesn't allow dangerous keys.

Filter Cookie Names: Always validate and filter cookie names before parsing them into objects.

- Patch Your Code: Prevent setting or reading properties named __proto__, constructor, or prototype.

References

- CVE Record: CVE-2022-23395
- jQuery Cookie GitHub Issue
- PayloadAllTheThings: Prototype Pollution
- Snyk Vulnerability Report
- js-cookie (Safe Alternative)

Conclusion

The CVE-2022-23395 vulnerability in jQuery Cookie 1.4.1 is a textbook example of how seemingly harmless libraries can open the door to serious security threats like prototype pollution and XSS. Always keep your dependencies up to date, and never trust untrusted input—including cookie names!

Timeline

Published on: 03/02/2022 12:15:00 UTC
Last modified on: 04/18/2022 18:36:00 UTC