TL;DR
Prototype pollution is a JavaScript-specific vulnerability where attackers can inject properties into Object.prototype, affecting all objects in the application. This happens through unsafe object merging or path assignment. It can lead to property injection, authentication bypass, or even remote code execution.
How Prototype Pollution Works
Polluting the prototype
// Vulnerable merge function
function merge(target, source) {
for (let key in source) {
if (typeof source[key] === 'object') {
target[key] = merge(target[key] || {}, source[key]);
} else {
target[key] = source[key];
}
}
return target;
}
// Attacker sends this payload:
const malicious = JSON.parse('{"__proto__": {"isAdmin": true}}');
merge({}, malicious);
// Now ALL objects have isAdmin!
const user = {};
console.log(user.isAdmin); // true!
Attack Vectors
__proto__- Direct prototype accessconstructor.prototype- Through constructor- Nested path assignment:
a.b.cwhere b is__proto__
Real-World Impact
Authentication bypass example
// Somewhere in your code:
if (user.role === 'admin') {
// Grant admin access
}
// After prototype pollution with {"__proto__": {"role": "admin"}}
// Every object now has role: 'admin'
// All users get admin access!
Prevention
Safe practices
// 1. Use Object.create(null) for untrusted data
const safe = Object.create(null); // No prototype!
// 2. Block dangerous keys
const BLOCKED = ['__proto__', 'constructor', 'prototype'];
function safeMerge(target, source) {
for (let key in source) {
if (BLOCKED.includes(key)) continue;
// ... rest of merge
}
}
// 3. Use Map instead of plain objects
const data = new Map();
// 4. Freeze the prototype (defense in depth)
Object.freeze(Object.prototype);
Which libraries are vulnerable?
Many utility libraries had prototype pollution issues including lodash, jQuery extend, and various merge/deep-clone libraries. Check npm audit and update regularly.
Can this lead to RCE?
Yes, in certain conditions. If polluted properties are used in eval, child_process, or template engines, it can lead to code execution. Several CVEs exist for this.
Detect Prototype Pollution
Our scanner identifies code patterns vulnerable to prototype pollution.
Start Free Scan