Skip to content

Security: Prototype pollution risk in recursive object merge#311

Open
tuanaiseo wants to merge 1 commit intojeremydaly:mainfrom
tuanaiseo:contribai/fix/security/prototype-pollution-risk-in-recursive-ob
Open

Security: Prototype pollution risk in recursive object merge#311
tuanaiseo wants to merge 1 commit intojeremydaly:mainfrom
tuanaiseo:contribai/fix/security/prototype-pollution-risk-in-recursive-ob

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 5, 2026

Problem

deepMerge only blocks the __proto__ key, but still recursively merges attacker-controlled nested objects and uses Object.assign(a, b) on non-object branches. This can allow pollution through constructor.prototype-style payloads or unsafe key propagation when untrusted input reaches merge paths.

Severity: high
File: lib/utils.js

Solution

Harden merge logic by explicitly rejecting __proto__, prototype, and constructor at every depth; avoid Object.assign(a, b) with untrusted objects; and consider replacing with a vetted safe-merge utility that prevents prototype mutation.

Changes

  • lib/utils.js (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security): prototype pollution risk in recursive object merge
4526653 
`deepMerge` only blocks the `__proto__` key, but still recursively merges attacker-controlled nested objects and uses `Object.assign(a, b)` on non-object branches. This can allow pollution through `constructor.prototype`-style payloads or unsafe key propagation when untrusted input reaches merge paths.

Affected files: utils.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo