Prototype pollution is a vulnerability specific to JavaScript where an attacker injects properties into the prototype of base objects like Object.prototype. Because nearly all JavaScript objects inherit from Object.prototype, any property added to it becomes available on every object in the application, potentially altering logic, bypassing security checks, or achieving remote code execution.
How It Works
JavaScript uses prototypal inheritance. When a property is accessed on an object, the runtime first checks the object itself, then walks up the prototype chain until it finds the property or reaches null. If an attacker can inject a property onto Object.prototype, that property becomes the default value for every object that does not explicitly define it.
The attack typically exploits unsafe recursive merge or deep clone functions. When an application merges user-controlled JSON input into an object using code like merge(target, userInput), an attacker can submit {"__proto__": {"isAdmin": true}}. If the merge function does not filter the __proto__ key, it writes isAdmin: true onto Object.prototype. Every subsequent check like if (user.isAdmin) will return true unless the user object has its own isAdmin property explicitly set to false.
The impact ranges from denial of service to remote code execution. On the server side, polluting properties consumed by template engines, child process spawning functions, or module loaders can lead to code execution. For example, polluting the shell or env properties used by Node.js child_process functions can allow an attacker to inject commands. On the client side, prototype pollution can enable cross-site scripting by influencing how frameworks render content or handle sanitization.
Why It Matters
Prototype pollution vulnerabilities are widespread in the JavaScript ecosystem because many popular libraries use unsafe merge patterns. The vulnerability is dangerous because it affects application behavior globally rather than at a single injection point. Security assessments targeting Node.js applications should examine all code paths where user-controlled input is merged, cloned, or recursively assigned to objects, as these represent potential pollution vectors with severe consequences.
Need your application tested? Get in touch.