Prototype Pollution
Prototype pollution is a JavaScript vulnerability where an attacker can modify Object.prototype — the base blueprint that every JavaScript object inherits from. Once polluted, the malicious properties show up in every object in the application, which can lead to unexpected behavior, authentication bypasses, or remote code execution.
What actually happens
In JavaScript, every object inherits from Object.prototype. Think of it as a base template — when you create any object, it automatically gets properties from this template. Prototype pollution lets an attacker write to that template through crafted input.
The attack usually comes through a function that merges or deep-copies objects — lodash's merge(), qs's query string parser, and similar utilities. If the function doesn't filter out keys like __proto__ or constructor.prototype, an attacker can slip in a payload that modifies the global template.
What a payload looks like
?__proto__[isAdmin]=true
If your application parses this with a vulnerable version of qs or lodash, and later checks user.isAdmin somewhere, every user might suddenly be an admin — including unauthenticated requests.
Which packages have had prototype pollution CVEs
It's a recurring problem in JavaScript utility libraries. Packages that do deep object manipulation are the most common source:
- lodash — CVE-2020-8203, CVE-2021-23337 (fixed in 4.17.21)
- qs — CVE-2022-24999 (fixed in 6.11.0)
- minimist — CVE-2021-44906 (fixed in 1.2.6)
- tough-cookie — CVE-2023-26136 (fixed in 4.1.3)
How to protect against it
Keep utility libraries up to date — most prototype pollution CVEs are fixed within weeks of discovery. Use Object.freeze(Object.prototype) in security-sensitive contexts. Validate and sanitize any object keys that come from user input before merging.
Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.
Open PackageFix →Free · No signup · No CLI · Runs in your browser