Prototype Pollution in 2025: Still a Threat

Prototype Pollution is a JavaScript-specific vulnerability that can lead to XSS, RCE, and DoS. Learn how it works and how to detect it in modern libraries.

2 min read
ibrahimsql
232 words

Prototype Pollution in 2025#

Prototype Pollution occurs when an attacker can modify the prototype of a base object in JavaScript (usually Object.prototype). Because almost all objects in JS inherit from this prototype, polluting it affects the entire application.

The Mechanism#

In JavaScript, if you try to access a property that doesn't exist on an object, the engine looks up the prototype chain.

let obj = {};
console.log(obj.polluted); // undefined

Object.prototype.polluted = "Yes!";
console.log(obj.polluted); // "Yes!"

Exploitation Vectors#

1. Denial of Service (DoS)#

Overwrite toString or valueOf methods to throw errors, crashing the application.

2. Property Injection#

Inject properties that the application logic relies on.

  • Bypassing Auth: user.isAdmin might be undefined, but if you pollute isAdmin to true, you become admin.

3. Remote Code Execution (RCE)#

In Node.js, polluting properties used by child_process.spawn or template engines can lead to shell execution.

Detection#

Look for recursive merge functions or deep cloning operations that don't sanitize keys like __proto__, constructor, or prototype.

// Vulnerable Merge
function merge(target, source) {
    for (let key in source) {
        if (typeof source[key] === 'object') {
            merge(target[key], source[key]);
        } else {
            target[key] = source[key];
        }
    }
}

Prevention#

  • Freeze the Prototype: Object.freeze(Object.prototype)
  • Map Objects: Use new Map() instead of plain objects for key-value storage.
  • Validation: Ensure libraries are updated and use secure merge functions.
---
Share this post:
TwitterLinkedInFacebook

What do you think?

React to show your appreciation

Comments