Summary
react-use@17.6.0 declares js-cookie@^2.2.1 as a dependency (used internally by the useCookie hook). This version is affected by CVE-2026-46625 (CVSS 7.5 High, CWE-1321 Prototype Pollution), published May 16, 2026.
No patched version exists in the v2.x line. The fix is only available in js-cookie@3.0.7.
Vulnerable code path in react-use
useCookie passes the user-supplied options parameter directly to Cookies.set() without any sanitization:
// src/useCookie.ts
const updateCookie = useCallback(
(newValue: string, options?: Cookies.CookieAttributes) => {
Cookies.set(cookieName, newValue, options);
setValue(newValue);
},
[cookieName]
);In js-cookie 2.2.1, set() calls the internal extend() function:
// js-cookie v2.2.1 — src/js.cookie.js
function extend () {
var i = 0;
var result = {};
for (; i < arguments.length; i++) {
var attributes = arguments[ i ];
for (var key in attributes) { // enumerates __proto__ if it's an own property
result[key] = attributes[key]; // triggers the __proto__ setter
}
}
return result;
}
function set (key, value, attributes) {
attributes = extend({path: '/'}, api.defaults, attributes); // user input enters here
// ...
for (var attributeName in attributes) { // polluted keys land in Set-Cookie string
stringifiedAttributes += '; ' + attributeName;
}
return (document.cookie = key + '=' + value + stringifiedAttributes);
}If options originates from JSON.parse() of untrusted data (e.g., API response, backend configuration), an attacker can inject a "__proto__" key with arbitrary cookie attributes (domain, secure, samesite, expires, path), causing js-cookie to write a Set-Cookie string with attacker-controlled attributes.
API compatibility with js-cookie v3
I verified that useCookie.ts uses only:
Cookies.get(name) — same signature in v3Cookies.set(name, value, options) — same signature in v3 (value is always a string, so the removed auto-stringify does not apply)Cookies.remove(name) — same signature in v3
None of the v3 breaking changes affect useCookie:
Cookies.defaults — not usedCookies.getJSON() — not usedCookies.withConverter(fn) — not usedCookies.noConflict() — not used
The upgrade to js-cookie@^3.0.7 (+ @types/js-cookie@^3.0.0) is a drop-in replacement for useCookie — no code changes required. This is confirmed by PR #2100 which only modifies package.json and yarn.lock.
Existing work
PR #2100 was opened by Renovate on September 1, 2021 to upgrade js-cookie from ^2.2.1 to ^3.0.0. It has not been merged in nearly 4 years.
Impact on downstream consumers
All 3,400+ packages and projects depending on react-use have js-cookie@2.2.1 resolved in their dependency tree. Security scanners (npm audit, Snyk, GitLab Dependency Scanning, Dependabot, etc.) flag this as a high-severity finding, blocking compliance pipelines — regardless of whether the consuming project uses useCookie.
Request
Please merge #2100 (updating the version range to ^3.0.7 to include the security fix) and publish a new release.
References
Summary
react-use@17.6.0declaresjs-cookie@^2.2.1as a dependency (used internally by theuseCookiehook). This version is affected by CVE-2026-46625 (CVSS 7.5 High, CWE-1321 Prototype Pollution), published May 16, 2026.No patched version exists in the v2.x line. The fix is only available in
js-cookie@3.0.7.Vulnerable code path in react-use
useCookiepasses the user-suppliedoptionsparameter directly toCookies.set()without any sanitization:In js-cookie 2.2.1,
set()calls the internalextend()function:If
optionsoriginates fromJSON.parse()of untrusted data (e.g., API response, backend configuration), an attacker can inject a"__proto__"key with arbitrary cookie attributes (domain,secure,samesite,expires,path), causing js-cookie to write aSet-Cookiestring with attacker-controlled attributes.API compatibility with js-cookie v3
I verified that
useCookie.tsuses only:Cookies.get(name)— same signature in v3Cookies.set(name, value, options)— same signature in v3 (value is always a string, so the removed auto-stringify does not apply)Cookies.remove(name)— same signature in v3None of the v3 breaking changes affect
useCookie:Cookies.defaults— not usedCookies.getJSON()— not usedCookies.withConverter(fn)— not usedCookies.noConflict()— not usedThe upgrade to
js-cookie@^3.0.7(+@types/js-cookie@^3.0.0) is a drop-in replacement foruseCookie— no code changes required. This is confirmed by PR #2100 which only modifiespackage.jsonandyarn.lock.Existing work
PR #2100 was opened by Renovate on September 1, 2021 to upgrade
js-cookiefrom^2.2.1to^3.0.0. It has not been merged in nearly 4 years.Impact on downstream consumers
All 3,400+ packages and projects depending on
react-usehavejs-cookie@2.2.1resolved in their dependency tree. Security scanners (npm audit, Snyk, GitLab Dependency Scanning, Dependabot, etc.) flag this as a high-severity finding, blocking compliance pipelines — regardless of whether the consuming project usesuseCookie.Request
Please merge #2100 (updating the version range to
^3.0.7to include the security fix) and publish a new release.References