Prototype Pollution
What is Prototype Pollution?
Prototype PollutionA JavaScript vulnerability where untrusted input modifies Object.prototype, injecting properties into every object and changing application behaviour or leading to RCE.
Prototype pollution exploits JavaScript's prototype chain: by setting keys like proto, constructor.prototype, or prototype during merge/clone/assign operations, an attacker mutates Object.prototype so every plain object inherits those properties. The bug often appears in recursive merge utilities, deep clone functions, query-string parsers, or template engines that accept user-controlled JSON. Consequences range from denial of service and authentication bypass to remote code execution when polluted properties influence security-relevant lookups (e.g., isAdmin, sandbox, render options). High-impact CVEs include lodash CVE-2019-10744 and many in Node.js libraries. Mitigations: reject proto / constructor keys, use Map or Object.create(null) for untrusted data, run Object.freeze on the prototype, and adopt safer libraries.
● Examples
- 01
POSTing {"__proto__":{"isAdmin":true}} to a JSON merge endpoint and gaining admin everywhere.
- 02
Polluting prototype to alter template rendering options and trigger RCE.
● Frequently asked questions
What is Prototype Pollution?
A JavaScript vulnerability where untrusted input modifies Object.prototype, injecting properties into every object and changing application behaviour or leading to RCE. It belongs to the Vulnerabilities category of cybersecurity.
What does Prototype Pollution mean?
A JavaScript vulnerability where untrusted input modifies Object.prototype, injecting properties into every object and changing application behaviour or leading to RCE.
How do you defend against Prototype Pollution?
Defences for Prototype Pollution typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Prototype Pollution?
Common alternative names include: Object.prototype pollution, __proto__ injection.