Intel

AIKIDO-2026-329411

@preeternal/react-native-cookie-manager is vulnerable to Improper Cookie Domain Validation

Improper Cookie Domain Validation Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

59

Medium Risk

This Affects:

JS@preeternal/react-native-cookie-manager
6.3.0 - 6.3.2
Fixed in 6.3.3
Are you affected? Scan for Free

TL;DR

The library validates a cookie's domain against the request host using an unanchored substring check in the native Android and iOS implementations. Because the host or the cookie domain only needs to contain the other value as a substring, a cookie scoped to a domain such as example.com is accepted for unrelated hosts like notexample.com, and cookies can match hosts they do not belong to. This allows cookies to be set for or returned to unintended hosts, enabling cookie misuse across origins. The fix replaces the substring check with case-insensitive exact-host or parent-domain (dot-suffix) matching.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application sets or reads cookies for hosts or cookie domains that can be influenced by untrusted input.

Background info

@preeternal/react-native-cookie-manager is vulnerable to Improper Cookie Domain Validation in versions 6.3.0 - 6.3.2.

How to fix this

Upgrade the @preeternal/react-native-cookie-manager library to the patch version.