The most frequent functions that leads to Prototype Pollution

We can always go deeper than 1 level with prototype pollution

Unsanatized assigning object properities

const car = Object.assign({}, userInput);

if this input will be provided:

{
    "brand": "Mercedes",
    "model": "CLA AMG 45s",
    __proto__: {
        evilProperty: "payload"
    }
}

That will be the result:

const userInput = {
    brand: "Mercedes",
    model: "CLA AMG 45s",
    __proto__: {
        evilProperty: "payload"
    }
};

// Insecure: directly using Object.assign()
const car = Object.assign({}, userInput);

console.log(car.brand);         // "Mercedes"
console.log(car.model);         // "CLA AMG 45s"
console.log(car.evilProperty);  // undefined

// BUT here's the danger:
console.log({}.evilProperty);   // "payload" ⚠️ -> Prototype Pollution happened

Merging objects

In order for merge function to be vulnerable it has to call itself recursively

function merge(target, source) {
    for (let key in source) {
        if (typeof source[key] === 'object' && source[key] !== null) {
            if (!target[key]) {
                target[key] = {};
            }
            merge(target[key], source[key]);
        } else {
            target[key] = source[key];
        }
    }
    return target;
}

Merge of two normal objects:

// object 1
let c = new Car("brand": "MERCEDES", "model": "CLA AMG 45s")

// object 2
let c2 = new CarDate("date": "2025-07-22");

// merge
let o = merge(c,c2);
o = { "brand": "MERCEDES", "model": "CLA AMG 45s", "date": "2025-07-22" }

Merge of normal object and proto polluted object:

object["value"] === object.value (in the __proto__ case we use the brackets notation in order to escape possible runtime errors)

// object 1
let c = new Car("brand": "MERCEDES", "model": "CLA AMG 45s")

// object 2
let c2 = new CarDate(["__proto__"]: {"dateInParentClass": "2025-07-22"});

// merge
let o = merge(c,c2);
o = { "brand": "MERCEDES", "model": "CLA AMG 45s" }

// parent of o
{}.dateInParentClass === 2025-07-22

We want __proto__ as a key and object in the {"key" : "value" } structure as a value in order to inject "key" parameter with "value" value to the parent class of the object that is being modified.

aaa

PreviousUnderstand the vulnerabilityNextExploitation

Last updated