Prototype Pollution

Object Prototype Poisoning

Prototype Pollution at a glance

What it is: Untrusted objects are merged or extended into application objects, allowing attackers to set special keys like `__proto__`, `constructor`, or `prototype` that change defaults for all plain objects.

Why it happens: Prototype pollution occurs when applications deep-merge untrusted input into objects or configs, letting attackers modify object prototypes through unsafe merge operations or utilities.

How to fix: Never deep-merge untrusted input; copy only trusted keys into plain objects, strip prototype fields at all depths, and use safe object creation or JSON normalization.

Overview

In JavaScript, plain objects inherit from Object.prototype. If untrusted input is merged into objects without filtering, attackers can set special keys like __proto__, constructor, or prototype. Libraries that perform deep merge or extend operations can propagate these keys into the global prototype chain. Once polluted, every new object can appear to have attacker-chosen properties, impacting control flow, logging, serialization, and even rendering in the browser.

sequenceDiagram participant Browser participant App as App Server participant Merge as Deep Merge Utility Browser->>App: POST /search {'__proto__':{'isAdmin':true}} App->>Merge: merge(defaults, body) Merge-->>App: polluted defaults App-->>Browser: Confirms behavior; later checks see isAdmin on new objects note over App: Prototype chain poisoned across the process

A potential flow for a Prototype Pollution exploit

Where it occurs

It occurs when applications merge untrusted input into configuration or objects—such as request bodies, CLI arguments, or URL parameters—using deep merge utilities without proper validation.

Impact

Pollution can flip boolean checks such as if (obj.isAdmin), inject unexpected headers, crash processes by overriding toString, or cause persistent XSS in client apps. In multi-tenant servers, process-wide effects increase the blast radius.

Prevention

Prevent prototype pollution by avoiding deep merges of untrusted input, whitelisting keys, stripping reserved properties, normalizing via JSON, restricting merges to plain objects, and enforcing schema-validated, strongly typed data.

Examples

Switch tabs to view language/framework variants.

Merging request body into defaults allows `proto` pollution

A handler merges untrusted JSON into a config object. An attacker sets `__proto__` to inject properties into all plain objects.

Vulnerable

JavaScript • Express + lodash.merge — Bad

const merge = require('lodash.merge');
app.post('/search', (req,res)=>{
  const cfg = merge({limit:10, flags:{exact:false}}, req.body); // BUG
  const q = {term: req.body.term || ''};
  // later code creates plain objects that inherit polluted props
  res.json({ok:true, cfg});
});

Line 2: Deep merge of untrusted object without prototype guards

lodash.merge composes object graphs. If you pass untrusted objects with special keys like __proto__, they can poison the prototype of all future objects.

Secure

JavaScript • Express + lodash.merge — Good

const merge = require('lodash.merge');
function safeMerge(dst, src){
  if (src && typeof src === 'object') {
    if (Object.prototype.hasOwnProperty.call(src,'__proto__') || Object.prototype.hasOwnProperty.call(src,'constructor')) return dst;
  }
  return merge(dst, src);
}
app.post('/search', (req,res)=>{
  const input = JSON.parse(JSON.stringify(req.body)); // strips prototypes
  const cfg = safeMerge({limit:10, flags:{exact:false}}, input);
  res.json({ok:true, cfg});
});

Line 9: Sanitize input to plain JSON and refuse `__proto__` or `constructor` keys before merge

Treat untrusted input as data only, serialize-deserialize to drop prototypes, and block special keys before deep merge.

Merging parsed argv into defaults allows prototype pollution

CLI uses `Object.assign(defaults, argv)` with untrusted keys. Passing `--__proto__.x=1` pollutes prototypes.

Vulnerable

JavaScript • Node CLI (minimist) — Bad

const parse = require('minimist');
function configure(defaults){
  const argv = parse(process.argv.slice(2));
  return Object.assign({}, defaults, argv); // BUG
}
module.exports = configure;

Line 4: Shallow assign copies dangerous keys into a new object that may still affect prototypes through nested objects

Argument parsers can produce nested objects for flags like --a.b=1. Without filtering, __proto__ becomes a pollution vector.

Secure

JavaScript • Node CLI (minimist) — Good

const parse = require('minimist');
const BLOCKED = new Set(['__proto__','constructor','prototype']);
function sanitizeKeys(obj){
  for (const k of Object.keys(obj)){
    if (BLOCKED.has(k)) delete obj[k];
    else if (obj[k] && typeof obj[k]==='object') sanitizeKeys(obj[k]);
  }
  return obj;
}
function configure(defaults){
  const argv = sanitizeKeys(parse(process.argv.slice(2)));
  return { ...defaults, ...argv };
}
module.exports = configure;

Line 10: Recursively strip prototype key vectors before merge

Block prototype-reserved keys at every depth before merging untrusted structures.

jQuery deep extend on URL fragment enables prototype pollution and XSS

The page parses `location.hash` into an object and deep-extends UI options. Attackers set `__proto__.toString` to execute code in some sinks.

Vulnerable

JavaScript • jQuery — Bad

const opts = { theme:'light', title:'Demo' };
const user = parseHash(location.hash); // { ...possibly nested }
$.extend(true, opts, user); // BUG: deep extend from untrusted input
render(opts);

Line 3: Deep extend from untrusted source permits prototype keys

Prototype pollution on the client can escalate to XSS when code relies on implicit string conversion or templating.

Secure

JavaScript • jQuery — Good

const SAFE_KEYS = new Set(['theme','title']);
function safeExtend(dst, src){
  if (!src || typeof src !== 'object') return dst;
  for (const [k,v] of Object.entries(src)){
    if (!SAFE_KEYS.has(k)) continue;
    if (v && typeof v==='object') dst[k] = safeExtend({}, v);
    else dst[k] = v;
  }
  return dst;
}
const opts = { theme:'light', title:'Demo' };
const user = parseHash(location.hash);
render(safeExtend({...opts}, user));

Line 5: Implement a positive-key copy and ignore everything else

Copy only known options and never deep-merge arbitrary user objects into global configs.

Object.assign with untrusted options allows pollution chains

Even shallow copies can carry polluted nested objects. Later deep operations or property lookups observe poisoned prototypes.

Vulnerable

JavaScript • Express — Bad

app.post('/render', (req,res)=>{
  const opts = Object.assign({safe:true, headers:{}}, req.body); // BUG
  const headers = opts.headers; // may inherit polluted props
  res.set(headers);
  res.send('ok');
});

Line 2: Blind assign brings attacker-controlled nested structures into trusted objects

Header setting or iteration that does not guard against prototype props can pick up polluted values.

Secure

JavaScript • Express — Good

app.post('/render', (req,res)=>{
  const input = JSON.parse(JSON.stringify(req.body));
  const allowed = { safe:true, headers:{} };
  if (input.headers && typeof input.headers==='object') {
    const clean = Object.create(null);
    for (const [k,v] of Object.entries(input.headers)){
      if (k === '__proto__' || k === 'constructor' || k === 'prototype') continue;
      clean[k] = String(v).slice(0,128);
    }
    allowed.headers = clean;
  }
  res.set(allowed.headers);
  res.send('ok');
});

Line 6: Create header maps with `Object.create(null)` and filter keys explicitly

Use dictionary objects with null prototype for maps and filter dangerous keys.

Pollution sets `toString` to non-function and crashes logging

If logs stringify objects and `toString` is polluted, calls crash or behave unexpectedly.

Vulnerable

JavaScript • Express/Fastify — Bad

app.post('/track', (req,res)=>{
  // store and later log req.body and other objects
  global.store.push(req.body); // BUG: may carry polluted toString
  res.json({ok:true});
});
// somewhere: logger.info('event', {} + global.store[0])

Line 3: Stores untrusted objects which can pollute prototype

Global pollution can break assumptions across the process leading to crashes and availability loss.

Secure

JavaScript • Express/Fastify — Good

app.post('/track', (req,res)=>{
  const input = JSON.parse(JSON.stringify(req.body));
  if ('__proto__' in input || 'constructor' in input) return res.status(400).send('bad');
  global.store.push(input);
  res.json({ok:true});
});

Line 2: JSON round-trip normalizes to plain data and reject special keys

Normalize and validate inputs, never store attacker objects directly.

Deep-merging untrusted headers/options allows prototype poisoning

API route deep-merges `req.body.headers` into a server header map. Attackers add prototype keys and affect future responses.

Vulnerable

JavaScript • Next.js API Route + deepmerge — Bad

import merge from 'deepmerge';
export default function handler(req,res){
  const base = { headers: { 'X-App':'demo' } };
  const cfg = merge(base, req.body); // BUG
  res.setHeader('X-App', cfg.headers['X-App']);
  res.status(200).json({ok:true});
}

Line 4: Deep merge of untrusted nested maps without prototype sanitization

Many deep-merge utilities treat __proto__ like any other key unless configured, enabling prototype poisoning.

Secure

JavaScript • Next.js API Route + deepmerge — Good

import merge from 'deepmerge';
const BLOCK = new Set(['__proto__','prototype','constructor']);
const toPlain = (o)=>JSON.parse(JSON.stringify(o));
const strip = (o)=>{
  if (!o || typeof o !== 'object') return o;
  const clean = Object.create(null);
  for (const [k,v] of Object.entries(o)){
    if (BLOCK.has(k)) continue;
    clean[k] = strip(v);
  }
  return clean;
};
export default function handler(req,res){
  const base = { headers: Object.create(null) };
  const safe = strip(toPlain(req.body));
  const cfg = merge(base, safe, { isMergeableObject: (x)=> x && Object.getPrototypeOf(x)===Object.prototype });
  res.setHeader('X-App', (cfg.headers && cfg.headers['X-App']) || 'demo');
  res.status(200).json({ok:true});
}

Line 15: Build maps with null prototype, strip reserved keys, and restrict merge to plain objects only

Use null-prototype dictionaries, blocklist reserved keys, and restrict mergeable objects.

Engineer Checklist

Block __proto__, constructor, and prototype keys at all depths
Use Object.create(null) for header maps and dictionaries
Avoid deep-merge of user input; copy allows-listed keys into fresh objects
Normalize and validate request bodies with a schema before merging
Audit logging, serialization, and feature flag code paths for reliance on inherited properties

End-to-End Example

An API merges user-provided options into a global config with `lodash.merge`. An attacker sends a body that sets `__proto__.isAdmin = true`. Later, a permission check that creates `{}` and tests `.isAdmin` unexpectedly passes.

Vulnerable

JAVASCRIPT

// Node.js/Express + lodash - Vulnerable prototype pollution

const _ = require('lodash');

const appConfig = {
  theme: 'light',
  language: 'en',
  features: {}
};

app.post('/api/settings', authenticateToken, (req, res) => {
  // VULNERABLE: Deep merge of untrusted user input
  // Attacker sends: { "__proto__": { "isAdmin": true } }
  // This pollutes Object.prototype for the entire application!
  _.merge(appConfig, req.body);
  
  res.json({ message: 'Settings updated', config: appConfig });
});

app.get('/api/admin/users', authenticateToken, (req, res) => {
  // VULNERABLE: Authorization check using polluted prototype
  const user = {};
  user.id = req.user.id;
  user.name = req.user.name;
  
  // After pollution, ALL objects inherit isAdmin: true!
  if (user.isAdmin) {  // This is now true for everyone!
    return res.json(getAllUsers());
  }
  
  res.status(403).json({ error: 'Admin only' });
});

// ALSO VULNERABLE: Object.assign with nested objects
app.patch('/api/preferences', (req, res) => {
  const userPrefs = { notifications: true };
  
  // VULNERABLE: Object.assign doesn't deep clone, but can still be exploited
  // with constructor.prototype pollution
  Object.assign(userPrefs, req.body);
  
  res.json(userPrefs);
});

Secure

JAVASCRIPT

// Node.js/Express - SECURE against prototype pollution

// Utility to filter dangerous keys recursively
function sanitizeObject(obj) {
  const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
  
  if (typeof obj !== 'object' || obj === null) return obj;
  
  if (Array.isArray(obj)) {
    return obj.map(sanitizeObject);
  }
  
  const sanitized = {};
  for (const key in obj) {
    if (obj.hasOwnProperty(key) && !dangerousKeys.includes(key)) {
      sanitized[key] = sanitizeObject(obj[key]);
    }
  }
  return sanitized;
}

const appConfig = {
  theme: 'light',
  language: 'en',
  features: {}
};

app.post('/api/settings', authenticateToken, (req, res) => {
  // SECURE: Whitelist allowed fields, no deep merge
  const allowedFields = ['theme', 'language', 'timezone'];
  const updates = {};
  
  for (const field of allowedFields) {
    if (req.body[field] !== undefined) {
      // Coerce to expected type
      updates[field] = String(req.body[field]);
    }
  }
  
  Object.assign(appConfig, updates);
  res.json({ message: 'Settings updated', config: appConfig });
});

app.get('/api/admin/users', authenticateToken, (req, res) => {
  // SECURE: Explicit permission check, not relying on object properties
  const userId = req.user.id;
  
  // Check against database or explicit role system
  if (req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Admin only' });
  }
  
  res.json(getAllUsers());
});

// SECURE: Use JSON round-trip to remove prototype pollution
app.patch('/api/preferences', (req, res) => {
  // JSON round-trip removes __proto__ and other dangerous keys
  const sanitizedInput = JSON.parse(JSON.stringify(req.body));
  
  // Additional sanitization
  const safeInput = sanitizeObject(sanitizedInput);
  
  // Whitelist specific fields
  const userPrefs = {
    notifications: Boolean(safeInput.notifications),
    email_updates: Boolean(safeInput.email_updates),
    theme: String(safeInput.theme || 'light')
  };
  
  res.json(userPrefs);
});

// ALTERNATIVE: Use null-prototype objects for maps
app.post('/api/user-data', (req, res) => {
  // Create object with no prototype
  const userData = Object.create(null);
  
  // Safe to assign - no prototype chain to pollute
  userData.name = req.body.name;
  userData.email = req.body.email;
  
  res.json(userData);
});

Discovery

This vulnerability is discovered by testing object merge operations or query parameter parsing with special keys like __proto__ or constructor.prototype and observing whether properties are added to JavaScript object prototypes.

1. Baseline object merge test
http
Action

Send normal nested object to understand merge behavior
Request
POST https://app.example.com/api/settings

Headers:

Content-Type: application/json

Body:

{ "preferences": { "theme": "dark", "language": "en" } }
Response
Status: 200

Body:

{ "message": "Settings updated", "merged_config": { "preferences": { "theme": "dark", "language": "en" } } }
Artifacts

merge_operation_confirmed baseline_established
2. Prototype pollution via __proto__
http
Action

Inject __proto__ key to pollute Object.prototype
Request
POST https://app.example.com/api/settings

Headers:

Content-Type: application/json

Body:

{}
Response
Status: 200

Body:

{ "message": "Settings updated", "test_result": "New empty object {}.polluted === true", "note": "Prototype chain poisoned! All new objects inherit polluted properties" }
Artifacts

prototype_pollution_confirmed object_prototype_modified global_state_affected
3. Constructor.prototype pollution
http
Action

Test alternate pollution vector via constructor.prototype
Request
POST https://app.example.com/api/config

Headers:

Content-Type: application/json

Body:

{ "constructor": { "prototype": { "adminMode": true, "bypassAuth": true } } }
Response
Status: 200

Body:

{ "message": "Config merged", "verification": "({}).adminMode === true", "note": "Alternate pollution vector successful" }
Artifacts

constructor_pollution prototype_chain_modified
4. Denial of service via toString pollution
http
Action

Break core JavaScript operations by polluting toString
Request
POST https://app.example.com/api/settings

Headers:

Content-Type: application/json

Body:

{}
Response
Status: 500

Body:

{ "error": "TypeError: Cannot convert object to primitive value", "stack_trace": "at Object.toString...\nat JSON.stringify...\nat logger.info...", "note": "Application crashes on any string coercion operations" }
Artifacts

application_crash dos_confirmed serialization_failure

Exploit steps

An attacker exploits this by polluting object prototypes with malicious properties that affect application logic globally, potentially achieving denial of service, authentication bypass, or remote code execution depending on how the polluted properties are used.

1. Privilege escalation via isAdmin pollution

Pollute prototype with admin flag
http
Action

Inject isAdmin=true into Object.prototype to bypass authorization
Request
POST https://app.example.com/api/search

Headers:

Content-Type: application/json

Body:

{}
Response
Status: 200

Body:

{ "message": "Search completed", "auth_check_result": "Authorization check: ({}).isAdmin === true", "admin_access": "Granted", "note": "All subsequent requests see isAdmin=true on empty objects, bypassing authorization" }
Artifacts

authorization_bypass admin_access_granted privilege_escalation process_wide_pollution
2. Remote code execution via template pollution

Pollute template engine properties for RCE
http
Action

Inject properties that affect template rendering to execute code
Request
POST https://app.example.com/api/render

Headers:

Content-Type: application/json

Body:

{}
Response
Status: 200

Body:

{ "rendered": "DATABASE_URL=postgresql://admin:Pr0dP@ssw0rd2024@db.internal:5432/production\nAWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE\nAWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "note": "Template engine executed attacker code using polluted properties" }
Artifacts

rce_confirmed secrets_extracted template_pollution_exploit code_execution
3. Application-wide denial of service

Crash all request handling
http
Action

Pollute critical methods to break JSON serialization and logging
Request
POST https://app.example.com/api/config

Headers:

Content-Type: application/json

Body:

{}
Response
Status: 500

Body:

{ "error": "Service Unavailable", "impact": "All subsequent requests fail with TypeError", "affected_operations": [ "logging", "JSON.stringify", "string concatenation", "HTTP responses" ], "duration": "Until process restart", "note": "Process-wide DoS affecting all users" }
Artifacts

application_down process_wide_dos service_disruption multi_tenant_impact
4. Data exfiltration via polluted callbacks

Inject malicious error handlers
http
Action

Pollute callback URLs to intercept sensitive error data
Request
POST https://app.example.com/api/webhook

Headers:

Content-Type: application/json

Body:

{}
Response
Status: 200

Body:

{ "message": "Webhook configured", "attacker_receives": { "error_logs": "Database connection errors with credentials", "stack_traces": "Full application source paths and logic", "user_data": "PII from failed operations", "note": "All errors and logs now sent to attacker endpoints" } }
Artifacts

data_exfiltration error_log_theft credential_leak source_disclosure

Specific Impact

Authorization checks that rely on object properties fail in unpredictable ways. Attackers may enable admin features or disable safeguards. In some cases, polluted toString breaks logging and incident monitoring, causing availability issues and delayed detection.

Because pollution is process-wide, multiple tenants or requests can be affected until the process restarts, increasing blast radius and remediation time.

Fix

Replace deep-merge of user input with allow-listed copying into null-prototype objects. Strip reserved keys recursively and normalize inputs with JSON serialization. Add unit tests that attempt to set __proto__ and confirm rejection.

Detect This Vulnerability in Your Code

Sourcery automatically identifies prototype pollution vulnerabilities and many other security issues in your codebase.

Scan Your Code for Free