CVE-2023-26136 — tough-cookie Prototype Pollution CRITICAL
🔴 CISA KEV
npm
CVSS 9.8 · tough-cookie < 4.1.3 → 4.1.3
tough-cookie, used for HTTP cookie handling in Node.js, is vulnerable to prototype pollution via specially crafted cookie values. tough-cookie is a transitive dependency of many packages including request and axios.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| tough-cookie | npm | < 4.1.3 | 4.1.3 | Full fix guide → |
How to fix CVE-2023-26136
- Update tough-cookie to 4.1.3
- For transitive: {"overrides": {"tough-cookie": "4.1.3"}}
- Run npm install
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2023-26136 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is tough-cookie used for?
tough-cookie handles HTTP cookies in Node.js — parsing, storing, and serializing cookies for HTTP clients. It is a transitive dependency of many popular packages including request, got, and superagent.
Is tough-cookie on CISA KEV?
Check the live CISA KEV catalog at packagefix.dev — the catalog updates daily.
How do I update tough-cookie if it's a transitive dependency?
Use npm overrides in package.json: {"overrides": {"tough-cookie": "4.1.3"}}. PackageFix generates this snippet automatically.