Fix tough-cookie — CVE-2023-26136 CRITICAL
Fix CVE-2023-26136 (CRITICAL) in tough-cookie for npm. Paste your package.json into PackageFix and get a patched version — no CLI, no signup. Prototype pollution via cookie parsing.
⚠ Vulnerability
CVE-2023-26136 (CRITICAL) — prototype pollution via cookie parsing in tough-cookie versions below 4.1.3.
Vulnerable Version — package.json
"tough-cookie": "4.1.2"
Fixed Version — package.json
"tough-cookie": "4.1.3"
✓ Fix
Update tough-cookie to 4.1.3 or later. Run npm install to apply. Verify with your ecosystem's audit tool after updating.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2023-26136 |
| Severity | CRITICAL |
| Package | tough-cookie (npm) |
| Vulnerable versions | Below 4.1.3 |
| Safe version | 4.1.3 |
| CISA KEV | — |
| Description | Prototype pollution via cookie parsing |
Frequently Asked Questions
What is CVE-2023-26136?
CVE-2023-26136 is a CRITICAL severity vulnerability in tough-cookie (npm). It allows prototype pollution via cookie parsing. Update to version 4.1.3 or later to fix it.
How do I fix CVE-2023-26136 in tough-cookie?
Update tough-cookie to version 4.1.3 in your package.json. Run npm install after updating to apply the fix.
Is CVE-2023-26136 being actively exploited?
Check the live CISA KEV catalog at packagefix.dev — PackageFix always reflects the current KEV status.
How do I check if I am affected by CVE-2023-26136?
Paste your package.json into PackageFix. If your installed version of tough-cookie is below 4.1.3, you are affected. PackageFix shows the exact CVE ID and fix version.
What search queries does this page target?
This page covers: tough-cookie CVE, tough-cookie vulnerability, cookie prototype pollution.