Prototype Pollution

Prototype pollution is a JavaScript vulnerability where attacker-controlled input modifies shared object prototypes, potentially changing application behavior across unrelated objects.

Category Object Manipulation

Common impact Logic tampering / DoS

Common surface Merge / clone / set paths

Risk model Prototype chain abuse

What is this vulnerability?

Prototype pollution happens when unsafe object operations allow dangerous keys such as __proto__, constructor, or prototype to modify shared JavaScript prototypes.

How it works

If an application recursively merges, clones, or sets properties from untrusted input, attacker-controlled values may become available across unrelated objects. This can affect logic that relies on default object properties.

Minimal vulnerable example

This simplified example shows how unsafe recursive object assignment can let attacker-controlled input affect shared object behavior.

Waiting to run demo…

Potential impact

Authorization logic can be altered if polluted properties are trusted.

Application behavior can become inconsistent or unsafe.

Denial of service can occur when built-in methods are overwritten.

In specific template or execution paths, polluted values may contribute to code execution.

Mitigation

Block dangerous keys such as __proto__, constructor, and prototype.

Avoid unsafe recursive merge or object path assignment with untrusted input.

Use hardened object handling patterns such as Object.create(null).

Keep utility libraries updated and review object manipulation code paths carefully.

Need private analysis for your codebase? Request exploitability review and dependency risk mapping from FikreSekhel Research.