[{"data":1,"prerenderedAt":169},["ShallowReactive",2],{"blog-vulnerabilities/prototype-pollution":3},{"id":4,"title":5,"body":6,"category":149,"date":150,"dateModified":150,"description":151,"draft":152,"extension":153,"faq":154,"featured":152,"headerVariant":155,"image":154,"keywords":154,"meta":156,"navigation":157,"ogDescription":158,"ogTitle":154,"path":159,"readTime":160,"schemaOrg":161,"schemaType":162,"seo":163,"sitemap":164,"stem":165,"tags":166,"twitterCard":167,"__hash__":168},"blog/blog/vulnerabilities/prototype-pollution.md","Prototype Pollution Explained",{"type":7,"value":8,"toc":139},"minimark",[9,16,21,36,41,66,70,79,83,92,108,127],[10,11,12],"tldr",{},[13,14,15],"p",{},"Prototype pollution is a JavaScript-specific vulnerability where attackers can inject properties into Object.prototype, affecting all objects in the application. This happens through unsafe object merging or path assignment. It can lead to property injection, authentication bypass, or even remote code execution.",[17,18,20],"h2",{"id":19},"how-prototype-pollution-works","How Prototype Pollution Works",[22,23,25],"code-block",{"label":24},"Polluting the prototype",[26,27,32],"pre",{"className":28,"code":30,"language":31},[29],"language-text","// Vulnerable merge function\nfunction merge(target, source) {\n  for (let key in source) {\n    if (typeof source[key] === 'object') {\n      target[key] = merge(target[key] || {}, source[key]);\n    } else {\n      target[key] = source[key];\n    }\n  }\n  return target;\n}\n\n// Attacker sends this payload:\nconst malicious = JSON.parse('{\"__proto__\": {\"isAdmin\": true}}');\n\nmerge({}, malicious);\n\n// Now ALL objects have isAdmin!\nconst user = {};\nconsole.log(user.isAdmin);  // true!\n","text",[33,34,30],"code",{"__ignoreMap":35},"",[37,38,40],"h3",{"id":39},"attack-vectors","Attack Vectors",[42,43,44,51,57],"ul",{},[45,46,47,50],"li",{},[33,48,49],{},"__proto__"," - Direct prototype access",[45,52,53,56],{},[33,54,55],{},"constructor.prototype"," - Through constructor",[45,58,59,60,63,64],{},"Nested path assignment: ",[33,61,62],{},"a.b.c"," where b is ",[33,65,49],{},[17,67,69],{"id":68},"real-world-impact","Real-World Impact",[22,71,73],{"label":72},"Authentication bypass example",[26,74,77],{"className":75,"code":76,"language":31},[29],"// Somewhere in your code:\nif (user.role === 'admin') {\n  // Grant admin access\n}\n\n// After prototype pollution with {\"__proto__\": {\"role\": \"admin\"}}\n// Every object now has role: 'admin'\n// All users get admin access!\n",[33,78,76],{"__ignoreMap":35},[17,80,82],{"id":81},"prevention","Prevention",[22,84,86],{"label":85},"Safe practices",[26,87,90],{"className":88,"code":89,"language":31},[29],"// 1. Use Object.create(null) for untrusted data\nconst safe = Object.create(null);  // No prototype!\n\n// 2. Block dangerous keys\nconst BLOCKED = ['__proto__', 'constructor', 'prototype'];\n\nfunction safeMerge(target, source) {\n  for (let key in source) {\n    if (BLOCKED.includes(key)) continue;\n    // ... rest of merge\n  }\n}\n\n// 3. Use Map instead of plain objects\nconst data = new Map();\n\n// 4. Freeze the prototype (defense in depth)\nObject.freeze(Object.prototype);\n",[33,91,89],{"__ignoreMap":35},[93,94,95,102],"faq-section",{},[96,97,99],"faq-item",{"question":98},"Which libraries are vulnerable?",[13,100,101],{},"Many utility libraries had prototype pollution issues including lodash, jQuery extend, and various merge/deep-clone libraries. Check npm audit and update regularly.",[96,103,105],{"question":104},"Can this lead to RCE?",[13,106,107],{},"Yes, in certain conditions. If polluted properties are used in eval, child_process, or template engines, it can lead to code execution. Several CVEs exist for this.",[109,110,111,117,122],"related-articles",{},[112,113],"related-card",{"description":114,"href":115,"title":116},"Can be enabled by pollution","/blog/vulnerabilities/xss","XSS Explained",[112,118],{"description":119,"href":120,"title":121},"Library security","/blog/vulnerabilities/vulnerable-dependencies","Vulnerable Dependencies",[112,123],{"description":124,"href":125,"title":126},"Related input issue","/blog/vulnerabilities/mass-assignment","Mass Assignment",[128,129,132,136],"cta-box",{"href":130,"label":131},"/","Start Free Scan",[17,133,135],{"id":134},"detect-prototype-pollution","Detect Prototype Pollution",[13,137,138],{},"Our scanner identifies code patterns vulnerable to prototype pollution.",{"title":35,"searchDepth":140,"depth":140,"links":141},2,[142,146,147,148],{"id":19,"depth":140,"text":20,"children":143},[144],{"id":39,"depth":145,"text":40},3,{"id":68,"depth":140,"text":69},{"id":81,"depth":140,"text":82},{"id":134,"depth":140,"text":135},"vulnerabilities","2026-01-21","Prototype pollution lets attackers inject properties into JavaScript object prototypes, affecting all objects. Learn how it works and how to prevent it.",false,"md",null,"red",{"noindex":157},true,"Learn how prototype pollution works in JavaScript and how to prevent it.","/blog/vulnerabilities/prototype-pollution","6 min read","[object Object]","TechArticle",{"title":5,"description":151},{"loc":159},"blog/vulnerabilities/prototype-pollution",[],"summary_large_image","pRpGWCnPis8K2QBUZv-htmGEoa4HWCJmL5I0bvCzWW0",1775843926471]