Prototype Pollution

Prototype pollution is a JavaScript-specific vulnerability where an attacker can inject properties into the Object.prototype, affecting all objects in the application. This can lead to property injection, application logic bypass, XSS, or in Node.js environments, remote code execution. It commonly arises in unsafe recursive merge or extend functions that process user-controlled keys like __proto__ or constructor.prototype. Prevention requires using Object.create(null) for dictionaries, freezing prototypes, and validating input keys.

Why it matters for your website

• 1Listed in the OWASP Top 10 — one of the most critical web risks
• 2Can lead to data exfiltration, account takeover, or full system compromise
• 3Required to fix before passing security reviews for enterprise customers