Prototype Pollution via __proto__
Description
Prototype Pollution via `__proto__` is a vulnerability in JavaScript where an attacker can modify the prototype of an object, leading to unexpected behavior or security breaches. By manipulating the `__proto__` property, attackers can inject malicious properties or methods into objects, potentially compromising the integrity of the application. To mitigate this vulnerability, developers should avoid using or trusting user-controlled data to modify prototypes and instead implement proper input validation and sanitization measures.
Remediation
Use secure libraries or frameworks that guard against prototype pollution, and sanitize or validate user-supplied data before it is used to modify object prototypes. Avoid merging user-defined objects directly into application-level objects or global prototypes. If an object merging or extending utility is necessary, configure it to ignore `__proto__` or similar special properties. Perform regular code reviews and security testing (e.g., SAST, DAST) to detect prototype pollution attempts. Keep dependencies updated, as many libraries have introduced patches or safe defaults to prevent malicious proto manipulations.
References
https://owasp.org/www-community/attacks/Prototype_Pollutionhttps://cwe.mitre.org/data/definitions/1321.htmlSeverity
HIGHOwasp
Code: A03:2021
Category: Injection
Classification
8.2
8.2