Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-26136 PoC — tough-cookie 安全漏洞

Source
https://github.com/morrisel/CVE-2023-26136
Associated Vulnerability
Title:tough-cookie 安全漏洞 (CVE-2023-26136)
Description:Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Description
This repository contains a solution for the CVE-2023-26136 vulnerability.
Readme
## Research on the vulnerability CVE-2023-26136

### Description

Versions of the package `tough-cookie` before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of cookies when using `CookieJar` in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which objects are initialized.


### Objective and Fix
This project aims to provide a patched version of `tough-cookie@2.5.0` that eliminates the `CVE-2023-26136` vulnerability while ensuring backward compatibility.

To fix the vulnerability, we modified memstore.js to ensure that cookies are stored in an object without prototype pollution risks by replacing standard object initialization with Object.create(null). This prevents prototype manipulation through maliciously crafted cookie names.


### Structure

In the tough-cookie/ directory, we can find two additional directories containing the original and patched versions of tough-cookie:

1. **Original version (`v2.5.0/`)** – Unmodified `tough-cookie` 2.5.0, which is vulnerable.
2. **Patched version (`v2.5.0-PATCHED/`)** – A modified version that includes a fix for `CVE-2023-26136`.

### Installation

To install the original vulnerable version:
```sh
npm install tough-cookie@2.5.0
```

### Patch Details

The applied patch changes the way cookies are stored: `this.idx = {};` 
was changed to: `this.idx = Object.create(null);`

This prevents attackers from injecting properties into the prototype chain and exploiting the vulnerability.

The vulnerability in tough-cookie (CVE-2023-26136) arises due to the use of a plain JavaScript object {} to store cookies. Since {} inherits from Object.prototype, it can be exploited by injecting properties like __proto__, leading to prototype pollution. This could allow an attacker to manipulate application behavior or cause security issues.

To mitigate this, the patch replaces {} with Object.create(null), which creates an object with no prototype ([[Prototype]]: null). This ensures that the object does not inherit any properties from Object.prototype, preventing attackers from injecting malicious properties.

By using Object.create(null), we effectively isolate the cookie store from unintended prototype inheritance, making it safer against prototype pollution attacks.


### Installation Guide and Patch Instructions

To install the patched version locally, follow these steps:

1. **Extract the patched package (optional for verification):**

`tar -tzf tough-cookie-2.5.0.tgz`

If needed, extract it:

`tar -xzf tough-cookie-2.5.0.tgz`

2. **Install the patched package:**

`npm install ./tough-cookie-2.5.0.tgz`

3. **Verify the fix:**
Run the test script:

`node index.js`

Expected output:

`EXPLOITED SUCCESSFULLY` - for the original version

`EXPLOIT FAILED` - for the patched version


### Node.js Compatibility

The patched version has been tested on Node.js 20 (LTS) to ensure compatibility with the latest stable runtime environment.


### Repository and Fork

The original `tough-cookie` repository (Salesforce) is currently at version 5.1.1. Since we are working with version 2.5.0, a direct fork from the main repository isn't possible. Instead, we created a separate repository containing both the original and patched versions. You can find it here:

GitHub Repository - Forked Version


### CI/CD
- No CI/CD tools were used in this research.
- Familiar with Docker (basic level).


### Reference

For more details, visit the official CVE page: [CVE-2023-26136 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-26136)
File Snapshot

 [4.0K]  /data/pocs/8284b5c8656685423e2ffa8ca07e3d24b7b21216
├── [ 703]  patch_diff.txt
├── [3.5K]  README.md
└── [4.0K]  tough-cookie
    ├── [3.3K]  index.js
    ├── [4.0K]  node_modules
    ├── [4.0K]  Original v2.5.0
    │   ├── [4.0K]  lib
    │   │   ├── [ 40K]  cookie.js
    │   │   ├── [5.7K]  memstore.js
    │   │   ├── [2.4K]  pathMatch.js
    │   │   ├── [2.2K]  permuteDomain.js
    │   │   ├── [1.7K]  pubsuffix-psl.js
    │   │   ├── [2.9K]  store.js
    │   │   └── [  52]  version.js
    │   ├── [1.5K]  LICENSE
    │   ├── [1.7K]  package.json
    │   └── [ 27K]  README.md
    ├── [   3]  package.json
    ├── [  91]  package-lock.json
    └── [4.0K]  v2.5.0-PATCHED
        ├── [4.0K]  lib
        │   ├── [ 40K]  cookie.js
        │   ├── [6.0K]  memstore.js
        │   ├── [2.4K]  pathMatch.js
        │   ├── [2.2K]  permuteDomain.js
        │   ├── [1.7K]  pubsuffix-psl.js
        │   ├── [2.9K]  store.js
        │   └── [  52]  version.js
        ├── [1.5K]  LICENSE
        ├── [1.7K]  package.json
        ├── [ 27K]  README.md
        └── [ 25K]  tough-cookie-2.5.0.tgz

6 directories, 26 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →