Search
Calendar
July 2025
S M T W T F S
« Jun    
 12345
6789101112
13141516171819
20212223242526
2728293031  
Tags
BEA CTO DBunit Devoxx Eclipse EJB Groovy GWT Hibernate IntelliJ IDEA Java JDBC Jetty JMS Jonathan Lalou JSF JSF2 JUnit Kotlin long tweet Maven Maven 2 Maven 3 MS-DOS Mule Mule ESB Oracle Oracle Coherence PyData2024 Python recommendation Security Sonar Spring SQL Tibco TibcoRV Tomcat tutorial Unix VivaTech Weblogic Weblogic 10 XML XSD
Last posts
Archives

PostHeaderIcon ️ Prototype Pollution: The Silent JavaScript Vulnerability You Shouldn’t Ignore

Author: Jonathan Lalou

Prototype pollution is one of those vulnerabilities that many developers have heard about, but few fully understand—or guard against. It’s sneaky, dangerous, and more common than you’d think, especially in JavaScript and Node.js applications.

This post breaks down what prototype pollution is, how it can be exploited, how to detect it, and most importantly, how to fix it.

What Is Prototype Pollution?

In JavaScript, all objects inherit from Object.prototype by default. If an attacker can modify that prototype via user input, they can change how every object behaves.

This is called prototype pollution, and it can:

  • Alter default behavior of native objects
  • Lead to privilege escalation
  • Break app logic in subtle ways
  • Enable denial-of-service (DoS) or even remote code execution in some cases

Real-World Exploit Example

const payload = JSON.parse('{ "__proto__": { "isAdmin": true } }');
Object.assign({}, payload);

console.log({}.isAdmin); // → true

Now, any object in your app believes it’s an admin. That’s the essence of prototype pollution.

How to Detect It

✅ Static Code Analysis

  • ESLint
    • Use plugins like eslint-plugin-security or eslint-plugin-no-prototype-builtins
  • Semgrep
    • Detect unsafe merges with custom rules

Dependency Scanning

  • npm audit, yarn audit, or tools like Snyk, OWASP Dependency-Check
  • Many past CVEs (e.g., Lodash < 4.17.12) were related to prototype pollution

Manual Testing

Try injecting:

{ "__proto__": { "injected": true } }

Then check if unexpected object properties appear in your app.

️ How to Fix It

1. Sanitize Inputs

Never allow user input to include dangerous keys:

  • __proto__
  • constructor
  • prototype

2. Avoid Deep Merge with Untrusted Data

Use libraries that enforce safe merges:

  • deepmerge with safe mode
  • Lodash >= 4.17.12

3. Write Safe Merge Logic

function safeMerge(target, source) {
  for (let key in source) {
    if (!['__proto__', 'constructor', 'prototype'].includes(key)) {
      target[key] = source[key];
    }
  }
  return target;
}

4. Use Secure Parsers

  • secure-json-parse
  • @hapi/hoek

TL;DR

✅ Task Tool/Approach
Scan source code ESLint, Semgrep
Test known payloads Manual JSON fuzzing
Scan dependencies npm audit, Snyk
Sanitize keys before merging Allowlist strategy
Patch libraries Update Lodash, jQuery

‍ Final Thoughts

Prototype pollution isn’t just a theoretical risk. It has appeared in real-world vulnerabilities in major libraries and frameworks.

If your app uses JavaScript—on the frontend or backend—you need to be aware of it.

Share this post if you work with JavaScript.
️ Found something similar in your project? Let’s talk.

#JavaScript #Security #PrototypePollution #NodeJS #WebSecurity #DevSecOps #SoftwareEngineering

Posted in en-US | Tags: ,

Leave a Reply

(c) 2008 Jonathan Lalou's blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.