Prototype Pollution

Prototype pollution exploits JavaScript's prototype chain: by setting keys like __proto__, constructor.prototype, or prototype during merge/clone/assign operations, an attacker mutates Object.prototype so every plain object inherits those properties. The bug often appears in recursive merge utilities, deep clone functions, query-string parsers, or template engines that accept user-controlled JSON. Consequences range from denial of service and authentication bypass to remote code execution when polluted properties influence security-relevant lookups (e.g., isAdmin, sandbox, render options). High-impact CVEs include lodash CVE-2019-10744 and many in Node.js libraries. Mitigations: reject __proto__ / constructor keys, use Map or Object.create(null) for untrusted data, run Object.freeze on the prototype, and adopt safer libraries.