Prototype Pollution occurs when untrusted input is used to add or modify attributes of an object prototype. An adversary can exploit this weakness to create new attributes on all objects (and their descendants) or alter the behaviour of existing ones. In JavaScript, this is typically achieved by manipulating special properties such as `__proto__`, `constructor`, or `prototype`. Exploitation may lead to application logic corruption, denial of service, or escalation into remote code execution depending on how polluted objects are later used.
Remediation
Explicitly define and allow only trusted properties during object manipulation (use whitelists, not blacklists).
Validate and sanitise all input before it is used in object property assignment. Reject or escape dangerous keys (`__proto__`, `constructor`, `prototype`).
Use `Object.create(null)` for dictionaries or key/value stores to avoid inheriting from `Object.prototype`.
Apply hardening by freezing or sealing prototypes (`Object.freeze(Object.prototype)` or `Object.seal`) where feasible.
Regularly update dependencies — many libraries (e.g., lodash, jQuery) have patched historical prototype pollution flaws.
Metadata
Severity: high
Slug: prototype-pollution
CWEs
915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
20: Improper Input Validation
1321: Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)
471: Modification of Assumed-Immutable Data (MAID)
OWASP
A08:2021: Software and Data Integrity Failures
A03:2021: Injection
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
