Prototype Pollution

Prototype pollution occurs when attacker-controlled properties are merged into JavaScript object prototypes such as Object.prototype.

Once polluted, every object inheriting from that prototype may receive unexpected properties, behaviors, or values.

Common Sources

• Unsafe recursive merges
• Deep object parsers
• URL parameter deserializers
• Improper JSON merging
• Framework helper utilities

{
  "__proto__": {
    "admin": true
  }
}

Modern JavaScript applications frequently expose vulnerable merge paths through configuration loaders, UI state synchronizers, hydration logic, query parsers, and component frameworks.

Applications attempting to automatically merge deeply nested objects often introduce inheritance abuse conditions without realizing it.

Common Vulnerable Patterns

Object.assign(target, userInput)

merge({}, payload)

$.extend(true, {}, payload)

High Risk Indicators

• Recursive merge functions
• Dynamic object path setters
• Automatic state hydration
• Angular merge helpers
• Deep cloning libraries
• Unsanitized JSON merging

Prototype pollution becomes dangerous once polluted properties are consumed by dangerous execution sinks or trusted authorization logic.

Attackers often combine prototype pollution with application rendering, templating, or unsafe evaluation paths to achieve privilege escalation, DOM injection, or arbitrary execution behavior.

Typical Sinks

• eval()
• Function()
• innerHTML
• Template renderers
• Access control checks
• Configuration loaders

if(user.admin){
    enableAdminPanel()
}

If Object.prototype.admin = true, authorization logic may silently fail across the entire application.

Escalation Possibilities

• Privilege escalation
• DOM-based XSS
• Template injection
• Security control bypass
• Unexpected application state mutation
• Configuration poisoning