Prototype pollution is a type of vulnerability in which an attacker is able to modify
Since most objects inherit from the compromised
Object.prototype, the attacker can use this
to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.
One way to cause prototype pollution is through use of an unsafe merge or extend function
to recursively copy properties from an untrusted source object.
Such a call can modify any object reachable from the destination object, and
Object.prototype is usually reachable through the special properties
An attacker can abuse this by sending an object with these property names and thereby modify
Update your library dependencies in order to use a safe version of the merge or extend function. If your library has no fixed version, switch to another library.
In the example below, the untrusted value
req.query.prefs is parsed as JSON
and then copied into a new object:
Prior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:
This causes the
xxx property to be injected on
Fix this by updating the lodash version:
Note that some web frameworks, such as Express, parse query parameters using extended URL-encoding
When this is the case, the application may be vulnerable even if not using
The example below would also be susceptible to prototype pollution:
In the above example, an attacker can cause prototype pollution by sending the following GET request: